Construction and uses of variable-input-length tweakable ciphers

ABSTRACT

Innovations in the construction and use of variable-input-length tweakable ciphers (“VILTCs”). In some cases, a VILTC uses an initialization vector that is protected from exposure outside an encryption/decryption system in order to provide enhanced security with efficient performance. For example, a system for encryption and/or decryption includes two fixed-input-length tweakable block ciphers (“FIL TBCs”) and a VILTC. The first FIL TBC is adapted to produce a fixed-length initialization vector. The VILTC is adapted to produce a variable-length output string using the fixed-length initialization vector as a tweak. The second FIL TBC is adapted to produce a fixed-length output string. In this way, the first FIL TBC and the second FIL TBC protect the fixed-length initialization vector from exposure outside the system. In other cases, a VILTC is used for a reliable and efficient implementation of authenticated encryption/decryption with associated data.

RELATED APPLICATION INFORMATION

This application is a divisional of U.S. patent application Ser. No.14/549,531, filed Nov. 20, 2014, which claims the benefit of U.S.Provisional Patent Application No. 61/910,292, filed Nov. 29, 2013, thedisclosures of which are hereby incorporated by reference.

ACKNOWLEDGMENT OF GOVERNMENT SUPPORT

This invention was made with government support under CNS-0845610 andCNS-1319061 awarded by National Science Foundation. The government hascertain rights in the invention.

FIELD

Construction and use of variable-input-length tweakable ciphers withprotected initialization vectors.

BACKGROUND

In general, encryption is the process of encoding information so thatonly authorized parties, and not third parties, can read theinformation. In an encryption scheme, the information (referred to asplaintext) is encrypted using an encryption algorithm, turning it intoan unreadable ciphertext. An authorized party is able to decode theciphertext using a decryption algorithm. In computer systems, encryptionalgorithms encrypt binary values (that is, bits) of information.

A block cipher is an encryption algorithm operating on a fixed-lengthblock of bits. An n-bit block cipher encrypts a block of n bits,producing n bits of ciphertext. Block ciphers are widely used, and thereare many efficient implementations of block ciphers. A block cipher usesan encryption key. The security of a block cipher is understood todegrade as the number of blocks encrypted under a particular keyincreases. While changing the key to a block cipher is not difficult initself, in several important applications the frequent generation anddistribution of new block cipher keys is infeasible.

A tweakable block cipher (“TBC”) is a generalization of a block cipher.An n-character TBC {tilde over (E)} is a family of permutations overΣ^(n), where each permutation in the TBC is associated with a key and atweak. Often, Σ={0,1}, in which case the TBC can be termed an n-bit TBC{tilde over (E)}.) For an input string, the key and tweak togetherspecify the permutation of the input string that is produced by the TBC.In typical usage, the key is secret and fixed across many calls to theTBC, while the tweak is not secret and may change from call to call.This supports variability in the behavior of the TBC by changing valuesof the tweak, even though the key is fixed. If changing values of thetweak is sufficiently simple (compared to the process of key setup andupdate), using a TBC can be an efficient way to expand the volume ofdata that is securely encrypted with a block cipher. Using TBCs cansimplify designing and analyzing algorithms (e.g., algorithms that cansafely handle large volumes of data) A TBC may be useful when the volumeof data to be encrypted is very large, compared to the available keymaterial, and changing the block cipher key is not desirable orfeasible. Even in applications in which the volume of data to beprocessed is not overly large, the tweak input can empower usefulfeatures in practical applications, such as using a TBC with a fixed keyacross several cryptographic uses, or across multiple users.

A tweakable cipher, sometimes called a tweakable enciphering scheme orlarge-block cipher, is an extension of a TBC to thevariable-input-length (“VIL”) setting. Generally, a VIL tweakable cipher(“VILTC”) is a family of length-preserving permutations, producingciphertext output with the same length as the plaintext input. Onecommon approach to implementing VILTCs has been to construct a VILTCprimitive from an underlying n-bit block cipher, sometimes inconjunction with one or more hashing operations. VILTCs constructedaccording to this approach may not provide sufficient securityguarantees for some important use case scenarios, in particular, when nis small (e.g., 64), or when the amount of data to be processed by asingle key is very large.

SUMMARY

In summary, the detailed description presents innovations in theconstruction and use of variable-input-length tweakable ciphers(“VILTCs”). In some cases, these VILTCs use an initialization vectorthat is protected from exposure outside an encryption/decryption systemin order to provide enhanced security with efficient performance. Inother cases, a VILTC is used for a reliable and efficient implementationof authenticated encryption/decryption with associated data.

According to one aspect of the innovations described herein, a systemfor encryption and/or decryption includes two fixed-input-lengthtweakable block ciphers (“FIL TBCs”) and a VILTC. Typically, the two FILTBCs are provided through two calls to a single FIL TBC component.Alternatively, however, the two FIL TBCs can be provided with twodifferent FIL TBCs.

The first FIL TBC (e.g., a first call to a given FIL TBC component, or afirst different FIL TBC component) is adapted to produce a fixed-lengthinitialization vector. For example, in a first call, the given FIL TBCcomponent accepts a fixed-length input string, as first input for thegiven FIL TBC component, and a combination of a tweak for the system anda variable-length input string, as first tweak for the given FIL TBCcomponent. The VILTC is adapted to produce a variable-length outputstring using the fixed-length initialization vector as a tweak. Thesecond FIL TBC (e.g., a second call to the given FIL TBC component, or asecond different FIL TBC component) is adapted to produce a fixed-lengthoutput string. For example, in a second call, the given FIL TBCcomponent accepts the fixed-length initialization vector, as secondinput for the given FIL TBC component, and a combination of the systemtweak and the variable-length output string, as second tweak for thegiven FIL TBC component. The first FIL TBC and the second FIL TBCprotect the fixed-length initialization vector from exposure outside thesystem. The system tweak can be based on an environmental feature of thesystem.

According to another aspect of the innovations described herein, asystem for encryption and/or decryption includes two N-character TBCsand a VILTC. The first N-character TBC (e.g., a first call to a givenN-character TBC component, or a first different N-character TBCcomponent) is adapted to produce an N-character initialization vector.The VILTC is adapted to produce a variable-length output string usingthe N-character initialization vector as a tweak. The second N-characterTBC (e.g., a second call to the given N-character TBC component, orsecond different N-character TBC component) is adapted to produce anN-character output string. In this way, the first N-character TBC andthe second N-character TBC protect the N-character initialization vectorfrom exposure outside the system.

The system can include multiple buffers. For example, a first bufferstores an N-character input string and a variable-length input string,and a second buffer stores the N-character output string and thevariable-length output string. Characters of the N-character inputstring, the variable-length input string, the N-character output string,and the variable-length output string are selected from apre-determined, finite set of symbols (e.g., numbers 0 . . . 9, lettersA . . . Z and numbers 0 . . . 9). The system's inputs also include oneor more keys and a tweak value. The first N-character TBC, the VILTC andthe second N-character TBC can be constructed from randomly generatedpermutation look-up tables. More generally, the first N-character TBC,the second N-character TBC, and the VILTC can be implemented usingspecial-purpose hardware or implemented using software that executes ongeneral-purpose hardware.

In example implementations, the first N-character TBC is adapted toproduce the N-character initialization vector using an N-character inputstring, as input for the first N-character TBC, and a combination of atweak for the system and a variable-length input string, as tweak forthe first N-character TBC. The VILTC is adapted to produce thevariable-length output string using the N-bit initialization vector, astweak for the VILTC, and the variable-length input string, as input forthe VILTC. The second N-character TBC is adapted to produce theN-character output string using the N-character initialization vector,as input for the second N-character TBC, and a combination of the tweakfor the system and the variable-length output string, as tweak for thesecond N-character TBC.

According to another aspect of the innovations described herein, asystem for encryption and/or decryption includes two N-bit tweakableblock ciphers (“TBCs”) and a VILTC. The first N-bit TBC (e.g., a firstcall to a given N-bit TBC component, or first different N-bit TBCcomponent) is adapted to produce an N-bit initialization vector. TheVILTC is adapted to produce a variable-length output string using theN-bit initialization vector as a tweak. The second N-bit TBC (e.g., asecond call to the given N-bit TBC component, or a second differentN-bit TBC component) is adapted to produce an N-bit output string. Inthis way, the first N-bit TBC and the second N-bit TBC protect the N-bitinitialization vector from exposure outside the system.

The system can include multiple buffers. For example, a first bufferstores an N-bit input string and a variable-length input string, and asecond buffer stores the N-bit output string and the variable-lengthoutput string. The system's inputs also include one or more keys and atweak value. The system can also include a controller adapted to adjustN to trade off security and implementation efficiency. A smaller valueof N provides worse security but simplifies efficient implementationsubject to security constraints. On the other hand, a larger value of Nprovides better security but complicates efficient implementationsubject to the security constraints.

In example implementations, the first N-bit TBC is adapted to producethe N-bit initialization vector using an N-bit input string, as inputfor the first N-bit TBC, and a combination of a tweak for the system anda variable-length input string, as tweak for the first N-bit TBC. TheVILTC is adapted to produce the variable-length output string using theN-bit initialization vector, as tweak for the VILTC, and thevariable-length input string, as input for the VILTC. The second N-bitTBC is adapted to produce the N-bit output string using the N-bitinitialization vector, as input for the second N-bit TBC, and acombination of the tweak for the system and the variable-length outputstring, as tweak for the second N-bit TBC. For example, given a tweak Tand an B-bit input X (with B>N), the first N-bits of the input X (X_(L))serve as the input to the first N-bit TBC (e.g., call to N-bit TBC), andthe combination of the remaining (B-N) input bits (X_(R)) and T serve asthe tweak for the first N-bit TBC. The N-bit output of this TBC serve asthe initialization vector for the VILTC call, and X_(R) serves as theinput to the VILTC call, producing a (B-N)-bit output (Y_(R)). Finally,the combination of Y_(R) and T serve as the tweak to a second N-bit TBC(e.g., call to N-bit TBC), which takes the initialization vector asinput, and produces an N-bit output (Y_(L)). The concatenation of Y_(L)with Y_(R) is the resulting output. The length of this concatenation isexactly B-bits, so that the overall processing is length-preserving frominput to output.

The first N-bit TBC and the second N-bit TBC can have an identicalstructure or different structures. As noted, the first N-bit TBC andsecond N-bit TBC can be provided through two calls to the same N-bit TBCcomponent, with different inputs and outputs. In one implementation, atleast one of the first N-bit TBC and the second N-bit TBC is an LRW2 TBCconstruction (defined below), and the VILTC is an iterated LRW2 TBCconstruction (defined below). In another implementation, at least one ofthe first N-bit TBC and the second N-bit TBC is a domain-extended CLRW2construction (defined below), and the VILTC is an iterated CLRW2construction (defined below). More generally, the first N-bit TBC, thesecond N-bit TBC, and the VILTC can be implemented using special-purposehardware or implemented using software that executes on general-purposehardware.

According to another aspect of the innovations described herein, asystem such as an encryption system or decryption system processes afixed-length input string, a tweak for the system, and a variable-lengthinput string to produce a fixed-length output string and avariable-length output string. The tweak for the system can be set basedon an environmental feature. As part of the processing, the systemproduces a fixed-length initialization vector, produces thevariable-length output string with a VILTC using the fixed-lengthinitialization vector as a tweak, and then obscures the fixed-lengthinitialization vector. The system outputs the fixed-length output stringand the variable-length output string.

According to another aspect of the innovations described herein, asystem such as an encryption system or decryption system processes anN-character input string, a tweak for the system, and a variable-lengthinput string to produce an N-character output string and avariable-length output string. As part of the processing, the systemproduces an N-character initialization vector, produces thevariable-length output string with a VILTC using the N-characterinitialization vector as a tweak, and then obscures the N-characterinitialization vector. The system outputs the N-character output stringand the variable-length output string.

The processing can be part of, for example, (1) format-preservingencryption, (2) format-preserving decryption, or (3) some otherencryption or decryption activity. For encryption, the N-character inputstring and the variable-length input string are plaintext, and theN-character output string and the variable-length output string areciphertext. For decryption, the N-character input string and thevariable-length input string are ciphertext, and the N-character outputstring and the variable-length output string are plaintext.

In example implementations, the N-character initialization vector isproduced with a first FIL TBC and is obscured by a second FIL TBC, whichproduces the N-character output string. The N-character initializationvector is produced with the first FIL TBC based on the N-character inputstring, as input for the first FIL TBC, and a combination of a tweak forthe system and the variable-length input string, as tweak for the firstFIL TBC. The variable-length output string is produced with the VILTCbased on the N-character initialization vector, as tweak for the VILTC,and the variable-length input string, as input for the VILTC. TheN-character output string is produced with the second FIL TBC based onthe N-character initialization vector, as input for the second FIL TBC,and a combination of the tweak for the system and the variable-lengthoutput string, as tweak for the second FIL TBC. The system tweak can beset based on an environmental feature.

According to another aspect of the innovations described herein, asystem such as an encryption system or decryption system processes anN-bit input string, a tweak for the system, and a variable-length inputstring to produce an N-bit output string and a variable-length outputstring. As part of the processing, the system produces an N-bitinitialization vector, produces the variable-length output string with aVILTC using the N-bit initialization vector as a tweak, and thenobscures the N-bit initialization vector. The system outputs the N-bitoutput string and the variable-length output string.

The processing can be part of, for example, (1) full-disk encryption,(2) full-disk decryption, (3) authenticated encryption with associateddata, (4) authenticated decryption with associated data or (5) someother encryption or decryption activity. For encryption, the N-bit inputstring and the variable-length input string are plaintext, and the N-bitoutput string and the variable-length output string are ciphertext. Fordecryption, the N-bit input string and the variable-length input stringare ciphertext, and the N-bit output string and the variable-lengthoutput string are plaintext.

In example implementations, the N-bit initialization vector is producedwith a first N-bit TBC and is obscured by a second N-bit TBC, whichproduces the N-bit output string. The N-bit initialization vector isproduced with the first N-bit TBC based on the N-bit input string, asinput for the first N-bit TBC, and a combination of a tweak for thesystem and the variable-length input string, as tweak for the firstN-bit TBC. The variable-length output string is produced with the VILTCbased on the N-bit initialization vector, as tweak for the VILTC, andthe variable-length input string, as input for the VILTC. The N-bitoutput string is produced with the second N-bit TBC based on the N-bitinitialization vector, as input for the second N-bit TBC, and acombination of the tweak for the system and the variable-length outputstring, as tweak for the second N-bit TBC. The system tweak can be setbased on an environmental feature.

According to another aspect of the innovations described herein, anencryption system receives a header and a message. The encryption systemprocesses the message using a VILTC to provide authenticated encryptionwith associated data. A tweak for the VILTC is based at least in part onthe header. The encryption system outputs the header and the encryptedmessage.

In example implementations, when it processes the message, theencryption system determines a modified header using the header andreconstruction information, determines a modified message using themessage and the modified header, and encrypts the modified message usingthe VILTC with the modified header as the tweak for the VILTC. Theencryption system outputs the reconstruction information.

A corresponding decryption system receives a header and an encryptedmessage (along with any reconstruction information). The decryptionsystem processes the encrypted message using a VILTC to provideauthenticated decryption with associated data. A tweak for the VILTC isbased at least in part on the header. The decryption system outputs themessage.

In example implementations, when it processes the encrypted message, thedecryption system determines a modified header using the header and thereconstruction information, decrypts the encrypted message using theVILTC with the modified header as the tweak for the VILTC, anddetermines the message using the modified message and the modifiedheader.

Optionally, for an authentication step, the decryption system checks tosee if the message is valid. For example, if a pre-determined number of“0” bits have been appended to a message during encryption, thendecryption can check for the presence of those bits. If this checkfails, then decryption outputs an error. There may be multiple differentchecks for a message to pass, and the output error(s) may vary dependingon which (combination of) checks fail. (This is the “authenticated” partof “authenticated encryption”—if an attacker tampers with an encryptedmessage, it will likely no longer be valid once decrypted.)

The innovations for constructing and using VILTCs can be implemented aspart of a method, as part of a computing system adapted to perform themethod or as part of tangible computer-readable media storingcomputer-executable instructions for causing a computing system toperform the method. The various innovations can be used in combinationor separately.

The foregoing and other objects, features, and advantages of theinvention will become more apparent from the following detaileddescription, which proceeds with reference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a generalized computing system in whichsome embodiments described herein can be implemented.

FIG. 2 is a diagram illustrating an example architecture forconstruction and use of VILTCs.

FIGS. 3a-3c are diagrams illustrating generalized constructions of aVILTC with a protected initialization vector.

FIG. 4 is a flowchart illustrating a generalized technique for using aVILTC with a protected initialization vector.

FIGS. 5a-5c are diagrams illustrating a first example implementation ofVILTC with a protected initialization vector.

FIGS. 6a-6c are diagrams illustrating a second example implementation ofVILTC with a protected initialization vector.

FIGS. 7 and 8 are flowcharts illustrating generalized techniques forauthenticated encryption and decryption, respectively, with associateddata using a VILTC.

FIGS. 9-11 are pseudocode listings illustrating aspects of theoreticaljustifications for some of the innovations described herein.

DETAILED DESCRIPTION

The detailed description presents innovations in the construction anduse of variable-input-length tweakable ciphers (“VILTCs”). In somecases, these VILTCs use an initialization vector that is protected fromexposure outside an encryption/decryption system in order to provideenhanced security with efficient performance. In other cases, a VILTC isused for a reliable and efficient implementation of authenticatedencryption/decryption with associated data.

According to one aspect of the innovations described herein, a VILTCuses a protected initialization vector (“IV”). In some examples,constructing a VILTC with a protected IV offers a simple, modularapproach for building a length-preserving, tweakable cipher that (1) maytake plaintext inputs of essentially any length, (2) achieves thestrongest possible security property for this type of primitive (that ofbeing a strong, tweakable-pseudorandom permutation (“STPRP”), and (3)can be implemented with n-bit primitives so as to make the VILTC withprotected IV STPRP-secure well beyond the “birthday-bound” of 2^(n/2)invocations of the VILTC with protected IV. (The term birthday-boundrefers to a level of security against attacks. For a VILTC constructionwith birthday-bound security, security guarantees are dramaticallyweakened by the time 2^(n/2) bits have been enciphered. A VILTCconstruction with beyond-birthday-bound security may remain secure longafter 2^(n/2) bits have been enciphered.) By some measures ofefficiency, beyond-birthday secure instantiations of a VILTC withprotected IV are competitive with existing constructions that are onlysecure to the birthday bound.

A VILTC with protected IV has many cryptographic applications. Inparticular, in lame-scale data-at-rest scenarios, where the amount ofdata to be protected by a single key is typically greater than inscenarios where keys can be easily renegotiated, a VILTC with protectedIV can efficiently provide a suitable level of security. For example, aVILTC with protected IV can be used for full-disk encryption (“FDE”) anddecryption, format-preserving encryption (“FPE”) and decryption, orauthenticated encryption with associated data (“AEAD”) and decryption.Alternatively, a VILTC with protected IV can be used for anotherencryption/decryption application.

According to another aspect of the innovations described herein, atweakable cipher is used for AEAD and corresponding decryption. A VILTCused for AEAD can be instantiated using a protected IV construction orsome other VILTC construction. Using a tweakable cipher for AEAD canprovide many advantages. For example, using a tweakable cipher for AEADcan help securely handle the reporting of multiple types of decryptionerrors. It can also eliminate ciphertext expansion by exploiting anyexisting nonces, randomness, or redundancies appearing in either theplaintext or associated data inputs. Using a VILTC with a protected IV(with appropriate setting of its parameters) enables AEAD schemes withbeyond birthday-bound security.

Various alternatives to the examples described herein are possible.Various aspects of the disclosed technology can be used in combinationor separately. Different embodiments use one or more of the describedinnovations. Some of the innovations described herein address one ormore of the problems noted in the background. Typically, a giventechnique/tool does not solve all such problems.

I. Example Computing Systems.

FIG. 1 illustrates a generalized example of a suitable computing system(100) in which several of the described innovations may be implemented.The computing system (100) is not intended to suggest any limitation asto scope of use or functionality, as the innovations may be implementedin diverse general-purpose or special-purpose computing systems.

With reference to FIG. 1, the computing system (100) includes one ormore processing units (110, 115) and memory (120, 125). The processingunits (110, 115) execute computer-executable instructions. A processingunit can be a general-purpose central processing unit (“CPU”), processorin an application-specific integrated circuit (“ASIC”) or any other typeof processor. In a multi-processing system, multiple processing unitsexecute computer-executable instructions to increase processing power.For example, FIG. 1 shows a central processing unit (110) as well as agraphics processing unit or co-processing unit (115). The tangiblememory (120, 125) may be volatile memory (e.g., registers, cache, RAM),non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or somecombination of the two, accessible by the processing unit(s). The memory(120, 125) stores software (180) implementing one or more innovationsfor constructing or using a VILTC, in the form of computer-executableinstructions suitable for execution by the processing unit(s).

A computing system may have additional features. For example, thecomputing system (100) includes storage (140), one or more input devices(150), one or more output devices (160), and one or more communicationconnections (170). An interconnection mechanism (not shown) such as abus, controller, or network interconnects the components of thecomputing system (100). Typically, operating system software (not shown)provides an operating environment for other software executing in thecomputing system (100), and coordinates activities of the components ofthe computing system (100).

The tangible storage (140) (also called computer-readable storage) maybe removable or non-removable, and includes magnetic disks, magnetictapes or cassettes, CD-ROMs, DVDs, or any other medium which can be usedto store information and which can be accessed within the computingsystem (100). The storage (140) stores instructions for the software(180) implementing one or more innovations for constructing or using aVILTC.

The input device(s) (150) may be a touch input device such as akeyboard, mouse, pen, or trackball, a voice input device, touchscreenfor receiving gesture input, a scanning device, or another device thatprovides input to the computing system (100). The output device(s) (160)may be a display (e.g., touchscreen), printer, speaker, CD-writer, oranother device that provides output from the computing system (100).

The communication connection(s) (170) enable communication over acommunication medium to another computing entity. The communicationmedium conveys information such as computer-executable instructions,audio or video input or output, or other data in a modulated datasignal. A modulated data signal is a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia can use an electrical, optical, RF, or other carrier.

The innovations can be described in the general context ofcomputer-readable media. Computer-readable media are any availabletangible media that can be accessed within a computing environment. Byway of example, and not limitation, with the computing system (100),computer-readable media include memory (120, 125), storage (140), andcombinations of any of the above.

The innovations can be described in the general context ofcomputer-executable instructions (also called machine-readableinstructions), such as those included in program modules (also calledcomputer program product), being executed in a computing system on atarget real or virtual processor. Generally, program modules includeroutines, programs, libraries, objects, classes, components, datastructures, etc. that perform particular tasks or implement particularabstract data types. The functionality of the program modules may becombined or split between program modules as desired in variousembodiments. Computer-executable instructions for program modules may beexecuted within a local or distributed computing system.

The terms “system” and “device” are used interchangeably herein. Unlessthe context clearly indicates otherwise, neither term implies anylimitation on a type of computing system or computing device. Ingeneral, a computing system or computing device can be local ordistributed, and can include any combination of special-purpose hardwareand/or general-purpose hardware with software implementing thefunctionality described herein.

The disclosed methods can also be implemented using specializedcomputing hardware configured to perform any of the disclosed methods.For example, the disclosed methods can be implemented by an integratedcircuit specially designed or configured to implement any of thedisclosed methods (e.g., an ASIC such as an ASIC digital signal processunit, a graphics processing unit, or a programmable logic device such asa field programmable gate array).

For the sake of presentation, the detailed description uses terms like“determine,” “provide” and “use” to describe computer operations in acomputing system. These terms are high-level abstractions for operationsperformed by a computer, and should not be confused with acts performedby a human being. The actual computer operations corresponding to theseterms vary depending on implementation.

II. Example Architectures for Construction or Use of VILTCs.

FIG. 2 shows an example architecture (200) for construction and use ofVILTCs. In particular, the architecture includes anencryption/decryption service (222) that uses VILTCs.

In FIG. 2, the applications (210, 212) represent software that interactswith the operating system (220). The applications (210, 212) can includea database transaction processing or analysis application, a Webbrowser, a word processor or other productivity software (with fileexplorer functionality), a message service or any other type ofapplication that uses encryption or decryption. Although FIG. 2 showstwo applications, the architecture (200) can include more or fewerapplications.

The applications (210, 212) interact with the operating system (220) touse the encryption/decryption service (222). When requested by one ofthe applications (210, 212) or the operating system (220), theencryption/decryption service (222) can encrypt data that is stored inthe disk storage (230) or main memory (240) (e.g., for a database).Conversely, the encryption/decryption service (222) can decrypt the datathat is requested by one of the applications (210, 212) or the operatingsystem (220). For example, for full-disk encryption (“FDE”), theencryption/decryption service (222) transparently encrypts data storedin the disk storage (230) and decrypts data returned from the diskstorage (230). Or, for format-preserving encryption (“FPE”), theencryption/decryption service (222) encrypts data stored in disk storage(230) or main memory (240) so that it has the same format as unencrypteddata. For example, data such as credit card numbers are encrypted suchthat the encrypted values are still formatted as credit card numbers. Asanother example, for authenticated encryption with associated data(“AEAD”), the encryption/decryption service (222) encrypts messageshaving headers for one of the applications (210, 212), and decryptsencrypted messages for one of applications (210, 212).

III. Notation and Principles.

This section explains the notation used in the rest of the detaileddescription. It also explains principles of operation for certainaspects of the encryption/decryption systems described herein.

In general,

={0,1,2, . . . } represents a set of non-negative integers. For n ∈

(a number n that is a member of the set

), {0,1}^(n) denotes the set of all n-bit binary strings, and {0,1}*denotes the set of all (finite) binary strings. The symbol E indicatesthe empty string.

Suppose the strings s and t are finite binary strings (that is, s, t ∈{0,1}*). The value |s| is the length of s in bits. The value |(s,t)|=|s∥t|, where s∥t denotes the string formed by concatenating thestrings s and t. If s ∈ {0,1}^(nm), for some m ∈

, the expression

${s_{1}s_{2}\mspace{14mu}\ldots\mspace{14mu} s_{m}}\overset{n}{\longleftarrow}s$indicates that each s_(i) is defined so that the length |s_(i)|=n, ands=s₁s₂ . . . s_(m). When n is implicit from context, it may be omittedfrom the notation, If s=b₁b₂ . . . b_(n) is an n-bit string (each b_(i)∈ {0,1}), then the part of the string s[i . . . j]=b_(i)b_(i+1) . . .b_(j), the part of the string s[i . . . ]=s[i . . . n], and the part ofthe string s[ . . . j]=s[1 . . . j].

The string s⊕t is the bitwise exclusive—or (“XOR”) of the strings s andt. If, for example, |s|<|t|, then s⊕t is the bitwise XOR of s and t[ . .. |s|].

Given R ⊂

and n ∈

with n≤min(R), the strings {0,1}^(R)=U_(i∈R){0,1}^(i), and by abuse ofnotation {0,1}^(R−n)=U_(i∈R){0,1}^(i−n). Given a finite set

, the expression

$X\overset{s}{\longleftarrow}{??}$indicates that the random variable X is sampled uniformly at random from

. Throughout, the distinguished symbol ⊥ is assumed not to be part ofany set except {⊥}. Given an integer n known to be in some range,

n

denotes some fixed-length (e.g., 64-bit) encoding of n. For example,

0

can indicate a 64-bit encoding of the value 0.

The function H:

×

→

⊂{0,1}*. Writing its first argument as a subscripted key, the function His ∈-almost universal (∈-AU)) if, for all distinct values of, Y ∈

, the probability Pr[H_(K)(Y)]≤∈ (where the probability is over

$\left. {K\overset{\$}{\longleftarrow}{??}} \right).$Similarly, the function H is ∈-almost 2-XOR universal if, for alldistinct X, Y ∈

and C ∈

, the probability Pr[H_(K)(X)⊕H_(K)(Y)=C]≤∈.

An adversary is an algorithm taking zero or more oracles as inputs,which the adversary queries in a black-box manner before returning someoutput. Adversaries may be random. The notation A^(ƒ)

b denotes the event that an adversary A outputs b after running withoracle ƒ as its input.

Sometimes it will be convenient to give pseudocode descriptions of theoracles with which an adversary can interact, as well as procedures thatset up or otherwise relate to such interactions. These descriptions willbe referred to as games. A game includes a set of procedures, includinga special “Main” procedure that takes an adversary A as input. Pr[G(A)

y] is the probability that the Main procedure of game G outputs y whengiven an adversary A as input. When no Main procedure is explicitlygiven. Main(A) simply executes A, providing it with the remainingprocedures as oracles (in some order that will be clear from context),and then returns A's output.

is a non-empty set, and the strings

,

⊂ {0,1}*. A tweakable cipher is a mapping {tilde over (E)}:

×

×

→

with the property that, for all (K,T)∈

×

, the tweakable cipher {tilde over (E)}(K,T,⋅) is a permutation on

. The key is typically indicated as a subscript, so that {tilde over(E)}_(K)(T, X)={tilde over (E)}(K, T, X). The tweakable cipher {tildeover (E)}_(K)(T,⋅) is invertible as shown {tilde over (E)}_(K) ⁻¹(T,⋅).

indicates the key space,

indicates the tweak space, and

indicates the message space. The tweakable cipher {tilde over (E)} islength preserving if |{tilde over (E)}_(K)(T, X)|=|X|, for all X ∈

, T ∈

and K ∈

. Restricting the tweak or message spaces of a tweakable cipher givesrise to other objects. When the message space

={0,1}^(n), for some n>0, then {tilde over (E)} is a tweakable blockcipher (“TBC”) with block size n. More generally, an n-character TBC{tilde over (E)} is a family of permutations over the message space

=Σ^(n), where each permutation in the TBC is associated with a key and atweak. When |

|=1, the tweak is implicit, giving a cipher E:

×

→

, where E_(K)(⋅) is a (length-preserving) permutation over

, and E_(K) ⁻¹ is its inverse. Finally, when the message space

={0,1}^(n) and |

|=1, the conventional block cipher E:

×{0,1}^(n)→{0,1}^(n).

The value N (upper case) indicates the length of an input string for anN-bit TBC or N-character TBC, or the length of an IV for a VILTC. TheN-bit TBC and VILTC can be constructed from n-bit block ciphers, where n(lower case) indicates block size for the block cipher. In someexamples, N=n. In other examples, N=2n.

Perm(

) denotes the set of all permutations on

. BC(

,

) is the set of all ciphers with key space

and message space

. When

,

′ are sets, Func(

,

′) is the set of all functions ƒ:

→

′. A tweakable cipher {tilde over (E)}:

×

×

→

. The tweakable pseudorandom-permutation (“TPRP”) and strong-TPRP(“STPRP”) advantage measures are:

${(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}\left. A^{{\overset{\sim}{E}}_{K}{(\because)}}\Longrightarrow 1 \right.} \right\rbrack} - {\Pr\left\lbrack {{\Pi\overset{\$}{\longleftarrow}{{BC}\left( {{??},{??}} \right)}}\text{:}\mspace{14mu}\left. A^{\Pi{(\because)}}\Longrightarrow 1 \right.} \right\rbrack}}$${{{Adv}_{E}^{\overset{\sim}{stprp}}(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}\left. A^{{{\overset{\sim}{E}}_{K}{(\because)}},{{\overset{\sim}{E}}_{K}^{- 1}{(\because)}}}\Longrightarrow 1 \right.} \right\rbrack} - {\Pr\left\lbrack {{\Pi\overset{\$}{\longleftarrow}{{BC}\left( {{??},{??}} \right)}}\text{:}\mspace{14mu}\left. A^{{\Pi{(\because)}},{\Pi^{- 1}{(\because)}}}\Longrightarrow 1 \right.} \right\rbrack}}},$where, in each case, adversary A takes the indicated number of oracles.For both the TPRP and STPRP experiments, the adversary A never repeats aquery to an oracle. For the STPRP advantage measure, this also meansthat if the adversary A queries (T, X) to its leftmost oracle andreceives Y in return, then adversary A never queries (T, Y) to itsrightmost oracle, and vice versa.

A related measure, the SRND advantage, is defined as:

${{(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}\left. A^{{{\overset{\sim}{E}}_{K}{(\because)}},{{\overset{\sim}{E}}_{K}^{- 1}{(\because)}}}\Longrightarrow 1 \right.} \right\rbrack} - {\Pr\left\lbrack A^{{\${(\because)}},{\${(\because)}}}\Longrightarrow 1 \right\rbrack}}},$where the $(⋅,⋅) oracle outputs a random string equal in length to itssecond input: |$(T, X)|=|X| for all T and X. Adversaries for the abovethree advantages are nonce-respecting if the transcript of their oraclequeries (T₁, X₁), . . . , (T_(q), X_(q)) does not include T_(i)=T_(j)for any i≠j.

For a cipher E:

×

→

, the pseudorandom permutation (“PRP”) and strong-PRP (“SPRP”) advantagemeasures are defined as:

${{Adv}_{E}^{prp}(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}\left. A^{E_{K}{( \cdot )}}\Longrightarrow 1 \right.} \right\rbrack} - {\Pr\left\lbrack {{\pi\overset{\$}{\longleftarrow}{{Perm}({??})}}\text{:}\mspace{14mu}\left. A^{\pi{( \cdot )}}\Longrightarrow 1 \right.} \right\rbrack}}$${{{Adv}_{E}^{sprp}(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}\left. A^{{E_{K}{( \cdot )}},{E_{K}^{- 1}{( \cdot )}}}\Longrightarrow 1 \right.} \right\rbrack} - {\Pr\left\lbrack {{\pi\overset{\$}{\longleftarrow}{{Perm}({??})}}\text{:}\mspace{14mu}\left. A^{{\pi{( \cdot )}},{\pi^{- 1}{( \cdot )}}}\Longrightarrow 1 \right.} \right\rbrack}}},$where, in each case, adversary A takes the indicated number of oracles.

Three adversarial resources are tracked: the time complexity t, thenumber of oracle queries q, and the total length of these queries μ. Thetime complexity of the adversary A is defined to include the complexityof its enveloping probability experiment (including sampling of keys,oracle computations, etc.), and the parameter t is defined to be themaximum time complexity of the adversary A, taken over both experimentsin the advantage measure.

IV. Generalized Constructions and Uses for VILTCs with Protected IVs.

FIGS. 3a-3c show generalized constructions (300, 301, 302) of a VILTCwith a protected initialization vector. The generalized constructions(300, 301, 302) can be used for encryption, in which a fixed-lengthinput string X_(L) and variable-length input string X_(R) of plaintextare converted to a fixed-length output string Y_(L) and variable-lengthoutput string Y_(R) of ciphertext. Or, the generalized constructions(300, 301, 302) can be used for decryption, in which a fixed-lengthinput string Y_(L) and variable-length input string Y_(R) of ciphertextare converted to a fixed-length output string X_(L) and variable-lengthoutput string X_(R) of plaintext.

In the construction (300) of FIG. 3a , a first FIL TBC (320 a) andsecond FIL TBC (340 a) protect the fixed-length initialization vector(328 a) from exposure outside the system. A buffer (310) stores afixed-length input string (311 a) and a variable-length input string(312). A first FIL TBC (320 a) is adapted to produce the fixed-lengthinitialization vector (328 a). For example, the first FIL TBC (320 a) isadapted to produce the fixed-length initialization vector (328 a) usingthe fixed-length input string (311 a), as its input, and a combination(e.g., concatenation or other adjustment) of a tweak (318) for thesystem and the variable-length input string (312), as its tweak. In FIG.3a , the filled-in portion of the first FIL TBC (320 a) (and the secondFIL TBC (340 a)) represents the tweak input. The value of the tweak(318) can be based on an environmental feature of the system (e.g.,logical hard disk sector ID for FDE, memory address, last four digits ofa credit card number for FPE).

In FIG. 3a , the variable-input-length tweakable cipher (“VILTC”) (330)is adapted to produce a variable-length output string (352) using thefixed-length initialization vector (328 a) as a tweak. For example, theVILTC (330) is adapted to produce the variable-length output string(352) using the fixed-length initialization vector (328 a), as itstweak, and the variable-length input string (312), as its input.

In FIG. 3a , the second FIL TBC (340 a) is adapted to produce afixed-length output string (351 a). For example, the second FIL TBC (340a) is adapted to produce the fixed-length output string (351 a) usingthe fixed-length initialization vector (328 a), as its input, and acombination (e.g., concatenation or other adjustment) of the tweak (318)and the variable-length output string (352), as its tweak. Typically,the first FIL TBC (320 a) and the second FIL TBC (340 a) use the samevalue for the tweak (318). Another buffer (350) stores the fixed-lengthoutput string (351 a) and the variable-length output string (352).

FIG. 3b shows a variation of the construction (300) that is adapted forformat-preserving encryption and decryption. In the construction (301)of FIG. 3b , a first N-character TBC (320 b) and second N-character TBC(340 b) protect the N-character initialization vector (328 b) fromexposure outside the system. A buffer (310) stores an N-character inputstring (311 b) and a variable-length input string (312). A firstN-character TBC (320 b) is adapted to produce the N-characterinitialization vector (328 b). For example, the first N-character TBC(320 b) is adapted to produce the N-character initialization vector (328b) using the N-character input string (311 b), as its input, and acombination (e.g., concatenation or other adjustment) of a tweak (318)for the system and the variable-length input string (312), as its tweak.The value of the tweak (318) can be based on an environmental feature ofthe system (e.g., last four digits of a credit card number for FPE).

In FIG. 3b , the VILTC (330) is adapted to produce a variable-lengthoutput string (352) using the N-character initialization vector (328 b)as a tweak. For example, the VILTC (330) is adapted to produce thevariable-length output string (352) using the N-character initializationvector (328 b), as its tweak, and the variable-length input string(312), as its input.

In FIG. 3b , the second N-character TBC (340 b) is adapted to produce anN-character output string (351 b). For example, the second N-characterTBC (340 b) is adapted to produce the N-character output string (351 b)using the N-character initialization vector (328 b), as its input, and acombination (e.g., concatenation or other adjustment) of the tweak (318)and the variable-length output string (352), as its tweak. Typically,the first N-character TBC (320 b) and the second N-character TBC (340 b)use the same value for the tweak (318) for the system. Another buffer(350) stores the N-character output string (351 b) and thevariable-length output string (352).

Characters of the N-character input string (311 b), the variable-lengthinput string (312), the N-character output string (351 b), and thevariable-length output string (352) are selected from a pre-determined,finite set of symbols (e.g., numbers 0 . . . 9, letters A . . . Z andnumbers 0 . . . 9). Example values of N for an N-character input string(311 b), N-character initialization vector (328 b), and N-characteroutput string (351 b) are N=1 or N=2. More generally, N can be anypositive integer.

The generalized construction (301) can be implemented in various ways.For example, the first N-character TBC (320 b), the VILTC (330) and thesecond N-character TBC (340 b) can be constructed from randomlygenerated permutation look-up tables. Recall that, in general, eachpermutation in a TBC is associated with a tweak and a key. The tweak andthe key, as inputs to the TBC, specify a particular permutation for theTBC. In some implementations (e.g., for FPE applications in thecredit-card payment industry, where regulatory pressures are strong),users may prefer to avoid explicit keys. In such cases, the tweak isused to select among a family of randomly generated permutation look-uptables.

More generally, the first N-character TBC (320 b), the secondN-character TBC (340 b), and the VILTC (330) can be implemented usingspecial-purpose hardware or implemented using software that executes ongeneral-purpose hardware. Typically, the two N-character TBCs (320 b,340 b) are provided through two calls to a single N-character TBCcomponent, with different inputs and outputs as described above.Alternatively, however, the N-character TBCs (320 b, 340 b) can beprovided with two different N-character TBC components.

FIG. 3c shows a variation of the construction (300) that is adapted forfull-disk encryption and decryption. In the construction (302) of FIG.3c , a first N-bit TBC (320 c) and second N-bit TBC (340 c) protect theN-bit initialization vector (328 c) from exposure outside the system. Abuffer (310) stores an N-bit input string (311 c) and a variable-lengthinput string (312). Example values of N are 128 and 256 bits. Examplelength values for the variable-length input string (312) are 4096 bytesand 8192 bytes.

In FIG. 3c , a first N-bit TBC (320 c) is adapted to produce an N-bitinitialization vector (328 c). For example, the first N-bit TBC (320 c)is adapted to produce the N-bit initialization vector (328 c) using theN-bit input string (311 c), as its input, and a combination (e.g.,concatenation or other adjustment) of a tweak (318) for the system andthe variable-length input string (312), as its tweak. The value of thetweak (318) can be based on an environmental feature of the system(e.g., logical hard disk sector ID for FDE).

In FIG. 3c , the VILTC (330) is adapted to produce a variable-lengthoutput string (352) using the N-bit initialization vector (328 c) as atweak. For example, the VILTC (330) is adapted to produce thevariable-length output string (352) using the N-bit initializationvector (328 c), as its tweak, and the variable-length input string(312), as its input.

In FIG. 3c , the second N-bit TBC (340 c) is adapted to produce an N-bitoutput string (351 c). For example, the second N-bit TBC (340 c) isadapted to produce the N-bit output string (351 c) using the N-bitinitialization vector (328 c), as its input, and a combination (e.g.,concatenation or other adjustment) of the tweak (318) and thevariable-length output string (352), as its tweak. Typically, the firstN-bit TBC (320 c) and the second N-bit TBC (340 c) use the same valuefor the tweak (318) for the system. Another buffer (350) stores theN-bit output string (351 c) and the variable-length output string (352).

The generalized construction (302) can be implemented in many ways, asdetailed below. The first N-bit TBC and the second N-bit TBC haveidentical structure. Alternatively, they have different structures.

For example, in one implementation, the first N-bit TBC (320 c) and/orthe second N-bit TBC (340 c) is an LRW2 TBC construction (defined below;see section V.A), and the VILTC (330) is an iterated LRW2 TBCconstruction. As further detailed below, a LRW2 TBC construction isadapted to produce an n-bit LRW2 output string by computing an XORbetween (1) an encrypted version of an XOR between (a) an n-bit LRW2input string and (b) an n-bit hash of a tweak input, and (2) the n-bithash of the tweak input. As another example, in another implementation,the first N-bit TBC (320 c) and/or the second N-bit TBC (340 c) is adomain-extended CLRW2 construction (defined below; see section V.A), andthe VILTC (330) is an iterated CLRW2 construction.

The construction (302) can include a controller (not shown) that isadapted to adjust N (number of bits for the fixed-length input stringand fixed-length output string) to trade off security and implementationefficiency. A smaller value of N (e.g., 128) provides worse security butsimplifies efficient implementation subject to security constraints. Onthe other hand, a larger value of N (e.g., 256) provides better securitybut complicates efficient implementation subject to the securityconstraints.

In general, N can be any positive integer. The numbers N=128 and N=256are suitable when the FIL and VIL components of the protected IVconstruction are constructed from an underlying 128-bit block cipher(e.g., AES). If the PIV construction is implemented using block ciphersof another size (such as DES, with block size of 64 bits), another valuefor N may be suitable (e.g., 64 or 128 bits).

The first N-bit TBC (320 c), second N-bit TBC (340 c), and VILTC (330)can be implemented using special-purpose hardware. Or, the first N-bitTBC (320 c), second N-bit TBC (340 c), and VILTC (330) can beimplemented using software that executes on general-purpose hardware.Typically, the two N-bit TBCs (320 c, 340 c) are provided through twocalls to a single N-bit TBC component, with different inputs and outputsas described above. Alternatively, however, the N-bit TBCs (320 c, 340c) can be provided with two different N-bit TBC components.

The construction (302) can be interpreted as a type of three-round,unbalanced Feistel network, where the left part of the input is of afixed bit length N, and the right part has variable length. The firstand third round-functions are the N-bit TBCs ({tilde over (F)}) (320 c,340 c). In example implementations, the bit length N is a tunableparameter of the construction, and can have a value such as N=128 orN=256. The VILTC (330) provides a middle round-function ({tilde over(V)}), whose tweak is the output of first round, the initializationvector (328 c).

Compared to a conventional VILTC {tilde over (V)} without a protectedIV, the VILTC module {tilde over (V)} in a VILTC with protected IV(PIV[{tilde over (F)}, {tilde over (V)}]) can have lower securityrequirements. The target security property for PIV[{tilde over (F)},{tilde over (V)}] is being STPRP-secure. Informally, being STPRP-securemeans withstanding chosen-ciphertext attacks in which the attacker alsohas full control over all inputs. The attacker can, for example, repeata tweak an arbitrary number of times. As detailed in section VII, if aTBC {tilde over (F)} is STPRP-secure over a domain of N-bit strings, anda tweakable cipher {tilde over (V)} is secure against attacks that neverrepeat a tweak, then PIV[{tilde over (F)}, {tilde over (V)}] isSTPRP-secure. Qualitatively, the protected IV construction promotessecurity (over a large domain), against a restricted kind of attacker,into security against arbitrary chosen-ciphertext attacks.Quantitatively, the security bound for PIV[{tilde over (F)}, {tilde over(V)}] contains an additive term q²/2^(N), where q is the number of timesPIV[{tilde over (F)}, {tilde over (V)}] is queried. N can be the blocksize n of some underlying block cipher. In this case, the PIV[{tildeover (F)}, {tilde over (V)}] delivers a bound comparable to thoseachieved by existing constructions. If N=2n, an n-bit primitive can beused to instantiate {tilde over (F)} and {tilde over (V)}, and yetPIV[{tilde over (F)}, {tilde over (V)}] delivers a tweakable cipher withsecurity well beyond beyond-birthday of 2^(n/2) queries.

Formally, in example implementations, PIV[{tilde over (F)}, {tilde over(V)}] is constructed based on the following. The tweak space

={0,1}^(t) for some t≥0.

⊂ {0,1}*, such that if Y ∈

, then {0,1}^(|Y|) ⊂

. T′=

×

. For an integer N>0, the TBC {tilde over (F)}:

′×

′×{0,1}^(N)→{0,1}^(N), and the VILTC {tilde over (V)}:

×{0,1}^(N)×

→

. From these, PIV[{tilde over (F)}, {tilde over (V)}]:(

′×

)×

×

→

, where

={0,1}^(N)×

.

The PIV composition of {tilde over (F)}, {tilde over (V)} is a threeround Feistel construction, working as follows. On input (T,X), theplaintext input string X=X_(L)∥X_(R) where the length of thefixed-length part |X_(L)|=N. The first TBC {tilde over (F)}, using a keyK′, creates an N-bit string for the initialization vector IV={tilde over(F)}_(K′)(T∥X_(R), X_(L)). Next, the VILTC {tilde over (V)} uses this IVto encipher the variable-length input string X_(R) with a key K,creating a variable-length output string Y_(R)={tilde over (V)}_(K)(IV,X_(R)). The second TBC {tilde over (F)} creates an N-bit output stringY_(L)={tilde over (F)}_(K′)(T∥Y_(R), IV). The ciphertext output stringY_(L)∥Y_(R) is returned as the value of PIV[{tilde over (F)},{tilde over(V)}]_(K′,K)(T, X).

Conversely, the inverse construction PIV[{tilde over (F)}, {tilde over(V)}]_(K′,K) ⁻¹(T, Y) operates as follows. On input (T,Y), theciphertext input string Y=Y_(L)∥Y_(R) where the length of thefixed-length part |Y_(L)|=N. The first TBC {tilde over (F)}, using a keyK′, creates an N-bit string for the initialization vector IV={tilde over(F)}_(K′)(T∥Y_(R), Y_(L)). Next, the VILTC {tilde over (V)} uses this IVto decipher the variable-length input string Y_(R) with a key K,creating a variable-length output string X_(R)={tilde over (V)}_(K)(IV,Y_(R)). The second TBC {tilde over (F)} creates an N-bit output stringX_(L)={tilde over (F)}_(K′)(T∥X_(R), IV). The plaintext output stringX_(L)∥X_(R) is returned as the value of PIV[{tilde over (F)}, {tildeover (V)}]_(K′,K) ⁻¹(T, Y).

In FIG. 3c , the construction includes three rounds. Alternatively, theconstruction can include more rounds (e.g., 5 rounds or 7 rounds), withN-bit TBCs ({tilde over (F)}) starting and ending the construction, andwith multiple VILTC {tilde over (V)} components alternating among theN-bit TBCs ({tilde over (F)}).

FIG. 4 shows a generalized technique (400) for using a VILTC with aprotected IV. An encryption system or decryption system performs thetechnique (400).

The system receives (410) a fixed-length input string (e.g., N-bit inputstring, N-character input string) and a variable-length input string.For encryption (e.g., during FDE, FPE, AEAD or another encryptionscenario), the fixed-length input string and the variable-length inputstring are plaintext. For corresponding decryption, the fixed-lengthinput string and the variable-length input string are ciphertext.

The system produces (420) a fixed-length initialization vector (e.g.,N-bit initialization vector, N-character initialization vector). Forexample, the fixed-length initialization vector is produced with a FILTBC based on the fixed-length input string, as input for the FIL TBC,and a combination of a tweak for the system and the variable-lengthinput string, as tweak for the FIL TBC. The FIL TBC can be an N-bit TBCor N-character TBC, for example. For the FIL TBC, the system can set thevalue of the tweak based on an environmental feature of the system(e.g., disk sector, memory address) or set the value of the tweak insome other way. Alternatively, the fixed-length initialization vector isproduced in some other way.

The system also produces (430) a variable-length output string with aVILTC, which uses the fixed-length initialization vector as a tweak. Forexample, the VILTC produces the variable-length output string based onthe fixed-length initialization vector (as tweak for the VILTC) and thevariable-length input string (as input for the VILTC). Alternatively,the variable-length output string is produced in some other way.

The system obscures (440) the fixed-length initialization vector. Forexample, the fixed-length initialization vector is obscured by a FILTBC, which produces a fixed-length output string (e.g., N-bit outputstring, N-character output string) based on the fixed-lengthinitialization vector, as input for the FIL TBC, and a combination ofthe system tweak and the variable-length output string, as tweak for theFIL TBC. The FIL TBC can be an N-bit TBC or N-character TBC, forexample. Alternatively, the fixed-length initialization vector isobscured in some other way.

Finally, the system outputs (450) the fixed-length output string and thevariable-length output string. For encryption (e.g., during FDE, FPE,AEAD or another encryption scenario), the fixed-length output string andthe variable-length output string are ciphertext. For correspondingdecryption, the fixed-length output string and the variable-lengthoutput string are plaintext.

V. Example Implementations for VILTCs with Protected IVs.

Within the general framework for VILTCs with protected IVs, thefixed-input length (“FIL”) part {tilde over (F)} andvariable-input-length (“VIL”) part {tilde over (V)} can be constructedindependently. This modular approach is beneficial since constructingefficient and secure instantiations of the VIL part {tilde over (V)} istypically easy, when tweaks can be assumed not to repeat. Constructing aFIL TBC {tilde over (F)} that remains secure when tweaks may be repeatedis simplified by having it process plaintext inputs of a fixed bitlength N (that is, N-bit block size). In practice, when N=128 or 256,inefficiencies incurred by {tilde over (F)} can be offset by efficiencygains in {tilde over (V)}.

There are security advantages to setting the block size N to be as largeas possible, but building a FIL TBC {tilde over (F)} with domain{0,1}^(N) for a large N, and for which

(C) approaches q²/2^(N), is complicated. In particular, at present,there are no efficient constructions that permit

(C) to be smaller than

(q³/2^(2n)) when using an n-bit block cipher as a starting point,although a construction for which N=2n is described below.

Therefore, this section focuses on constructing TBCs {tilde over (F)}with a relatively small N (e.g., 128, 256). In particular, N-bit TBCsare constructed out of block ciphers. For n as the block size of theblock cipher, N=n, and N=2n. This section describes two implementationsof VILTCs with protected IVs, each using n-bit block ciphers.

The first example implementation (called TCT₁) provides birthday-boundsecurity. When N=n, the implementation is secure up to roughlyq=2^(n/2), which is the birthday bound with respect to the block cipher.With this security bound in mind, the implementation uses simple andefficient constructions of both {tilde over (F)} and {tilde over (V)}.TCT₁ uses only one block cipher invocation and some arithmetic, modulo apower of two, per n-bit block of input. In contrast, previous approachesto implementing VILTCs either use two block cipher invocations per n-bitblock, or use per-block finite field operations.

The second example implementation (called TCT₂) delivers security beyondthe birthday-bound. When N=2n, the implementation is secure up toroughly q=2^(n) queries. With this tighter security bound in mind, thereare still reasonably efficient constructions. When compared to previousVILTCs with only birthday-bound security, TCT₂ incurs only someadditional, simple arithmetic operations per n bit block of input.Again, this arithmetic is performed modulo powers of two, rather than ina finite field.

In the TCT₁ and TCT₂ implementations, the VIL component {tilde over (V)}is instantiated using counter-mode encryption over a TBC. The additionaltweak input of the TBC permits various “tweak-scheduling” approaches,e.g., fixing a single per-message tweak across all blocks, or changingthe tweak each message block. (There is a natural connection betweenchanging the tweak of a TBC and changing the key of a block cipher. Bothcan be used to boost security, but changing a tweak is cleaner becausetweaks need not be secret.) Re-tweaking on a block-by-block basis leadsto a beyond birthday-bound secure VILTC with protected IV constructionthat admits strings of any length at least N.

The procedure TCTR provides counter-mode encryption over an n-bit TBC{tilde over (E)}. Within a call to TCTR, each n-bit block X_(i) of theinput X is processed using a per-block tweak T_(i), which is determinedby a function

:

′×

→

of the input tweak T and the block index i, as follows:

${procedure}\mspace{14mu}{{TCTR}\left\lbrack \overset{\sim}{E} \right\rbrack}_{K}\left( {T,X} \right)\text{:}$$X_{1},X_{2},\ldots\mspace{14mu},{X_{v}\overset{n}{\longleftarrow}X}$for  i = to  v T_(i) ← g(T, i); Z_(i) ← ⟨i⟩$\left. Y_{i}\leftarrow{{{\overset{\sim}{E}}_{K}\left( {T_{i},Z_{i}} \right)} \oplus X_{i}} \right.$Return  Y₁, Y₂, …  , Y_(v)

In the procedure inverse TCTR, each n-bit block Y_(i) of the input Y isprocessed using a per-block tweak T_(i), as follows:

${procedure}\mspace{14mu}{{TCTR}\left\lbrack \overset{\sim}{E} \right\rbrack}_{K}^{- 1}\left( {T,Y} \right)\text{:}$$Y_{1},Y_{2},\ldots\mspace{14mu},{Y_{v}\overset{n}{\longleftarrow}Y}$for  i = to  v T_(i) ← g(T, i); Z_(i) ← ⟨i⟩$\left. X_{i}\leftarrow{Y_{i} \oplus {{\overset{\sim}{E}}_{K}\left( {T_{i},Z_{i}} \right)}} \right.$Return  X₁, X₂, …  , X_(v)

In a VILTC with protected IV, the TBC {tilde over (F)} handles longtweaks. The tweaks can be compressed using an ∈-AU hash function at thecost of adding a q²∈ term to the tweakable cipher's TPRP security bound.In particular, some example implementations use a variation of the NHhash. The function NH[r, s]_(L) takes r-bit keys (|L|=r), maps r-bitstrings to s-bit strings, and is 2^(s/2)-AU. Given a TBC {tilde over(E)}, {tilde over (E)}^(NH) denotes the resulting TBC whose tweak spaceis now the domain of NH, rather than its range.

A. Components of First and Second Example Implementations.

The first and/or second example implementations use the followingcomponents.

The component LRW2 indicates a birthday-bound TBC that uses a blockcipher E and a ∈-AXU₂ function H. LRW2[H,E]_((K,L))(T,X)=E_(K)(X⊕H_(L)(T))⊕H_(L)(T).

The component CLRW2 is a TBC with beyond birthday-bound security, whichuses a block cipher E and a ∈-AXU₂ function H. CLRW2[H,E]_((K) _(i)_(,K) ₂ _(,L) ₁ _(,L) ₂ ₎(T,X)=LRW2[H,E]_((K) ₂ _(,L) ₂₎(T,LRW2[H,E]_(K) ₁ _(,L) ₁ ₎(T,X)).

The component polyH^(mn) is a ∈-AXU₂ function with domain({0,1}^(n))^(m) and ∈=m/2^(n). All operations are in F_(2n).

${{poly}\;{H_{L}^{mn}\left( {T_{1}T_{2}\mspace{14mu}\ldots\mspace{14mu} T_{m}} \right)}} = {\overset{m}{\underset{i = 1}{\oplus}}{T_{i} \otimes {L^{i}.}}}$

The component NH(vw, 2tw) is a ∈-AXU₂ function with ∈=1/2^(tw). Inputsare vw bits, where v is even and w>0 is fixed. NH[v,t]_(K) ₁_(∥ . . . ∥K) _(v+2(t−1)) (M)=H_(K) ₁ _(. . . K) _(v) (M)∥H_(K) ₃_(. . . K) _(v+2) (M)∥ . . . ∥H_(K) _(2t−1) _(. . . K) _(v+2t−2) (M),where H_(K) ₁ _(∥ . . . ∥K) _(v) (X₁ . . . X_(v))=Σ_(i=1)^(v/2)(K_(2i−1)+_(w)X_(2i−1))·(K_(2i)+_(w)X_(2i))mod2^(2w).

The component CDMS is a Feistel-like domain extender for TBC {tilde over(E)}. CDMS[{tilde over (E)}]_(K)(T,L∥R)={tilde over(E)}_(K)(10∥T∥R′,L′)∥R′, where R′={tilde over (E)}_(K)(01∥T∥L′,R) andL′={tilde over (E)}_(K)(00∥T∥R,L).

B. First Example Implementation TCT₁.

The first example implementation TCT₁ is an efficient implementationwith birthday-type security for applications with small plaintextmessages (e.g., FDE). For this implementation, the size of the N-bit TBCis N=n, and the n-bit TBC {tilde over (F)} uses an LRW2 component. Inaddition to a block cipher E, LRW2[H, E] uses an ∈-AXU₂ hash function H.In theory, the LRW2 component can accommodate large tweaks. Forpractical purposes, however, it will be more efficient to implement LRW2with a small tweak space, and then extend this small tweak space using afast ∈-AU hash function. For the ∈-AXU₂ hash function itself, the firstexample implementation uses the polynomial hash polyH.

FIGS. 5a-5c illustrate components of the first example implementationTCT₁ (500), which takes a tweak T and message X as inputs. The message Xis split into blocks X₁, X₂, . . . , X_(v), where the length of the allblocks except the last block X_(v) is n, and the length of the lastblock X_(v) is less than or equal to n. TCT₁ produces an output stringY=Y₁, Y₂, . . . , Y_(v). The block size of the FIL components is N=n.For k, n>0, E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher.TCT₁=PIV[{tilde over (F)}, {tilde over (V)}], where to obtain a τn-bittweak space and domain {0,1}^({n,n+1, . . . , ln}), the n-bit TBC {tildeover (F)} and VILTC {tilde over (V)} are set as follows.

The n-bit TBC {tilde over (F)}=LRW2[polyH^(2n), E]^(NH[(l+τ)n,2n]). Thatis, the n-bit TBC {tilde over (F)} is a LRW2 component with its tweakspace extended using NH. The key space for {tilde over (F)} is{0,1}^(k)×{0,1}^(2n)×{0,1}^((l+τ)n), with key K′ being partitioned intokeys for E, polyH^(2n), and NH[(l+τ)n, 2n]. Since NH supports onlyfixed-length inputs, NH inputs are implicitly padded with a 1 and thenenough 0s to reach a total length of (l+τ)n bits.) The tweak space for{tilde over (F)} is {0,1}^({0,1,2, . . . , (l+τ−1)n}).

FIG. 5a shows a first n-bit TBC {tilde over (F)}′_(K′)(520) that acceptsa tweak input (510) and message input. The message input is the firstn-bit block X₁. The tweak input (510) is a tweak value T concatenatedwith a padded version of the remaining blocks of the message X. Thefunction Pad( ) maps s to s ∥10^((l+1)n−1−|s|). The first n-bit TBC{tilde over (F)}′_(K′) (520) produces an n-bit IV (538).

FIG. 5a also shows a second n-bit TBC {tilde over (F)}′_(K′) (520) thataccepts a tweak input (560) and message input. The message input is then-bit IV (538). The tweak input (560) is the tweak value T concatenatedwith a padded version of blocks Y₂ . . . Y_(v) of the variable-lengthoutput string Y. The second n-bit TBC {tilde over (F)}′_(K′) (520)produces the first block Y₁ of the variable-length output string Y.

FIG. 5b shows details of an n-bit TBC {tilde over (F)}′_(K′) (520). TheNH function (521) accepts a tweak value with (l+r)×n bits and produces atweak value with 2n bits. The polyH^(2n) function (522) produces ann-bit tweak value from the 2n-bit tweak value. The block cipher (523)encrypts the n-bit tweak value XOR'd with an n-bit input value (whichvaries between the first n-bit TBC {tilde over (F)}′_(K′) (X₁) andsecond n-bit TBC {tilde over (F)}′_(K′)(the n-bit IV)). The output ofthe block cipher (523) is then XOR'd with the n-bit tweak value, toproduce an n-bit output.

The VILTC {tilde over (V)}=TCTR[LRW2[polyH^(n), E]]. For the TCTRprocedure,

: {0,1}^(n)×

→{0,1}^(n), as

(T, i)=T. The key space for {tilde over (V)} is {0,1}^(k)×{0,1}^(n),with key K being partitioned into keys for E and polyH^(n). The tweakspace for {tilde over (V)} is {0,1}^(n), and its domain is{0,1}^({0,1, . . . , (l−1)n}).

As shown in FIG. 5a , the TCTR for VILTC {tilde over (V)} is implementedas a series of components TBC {tilde over (F)}_(K) (540). Each TBC{tilde over (F)}_(K) (540) accepts, as tweak input, the n-bit IV (538).Each TBC {tilde over (F)}_(K) (540) also accepts, as message input, apadded counter value

i

, for 0≤i≤v−2. The output of each TBC {tilde over (F)}_(K) (540) isXOR'd with an n-bit block X_(i+2) of the message X to produce a blockY_(i+2) of the variable-length output string Y.

FIG. 5c shows details of an n-bit TBC {tilde over (F)}_(K) (540). ThepolyH^(n) function (542) produces a resulting n-bit tweak value from aninput n-bit tweak value. The block cipher (543) encrypts the resultingn-bit tweak value XOR'd with an n-bit input value (padded countervalue). The output of the block cipher (543) is then XOR'd with theresulting n-bit tweak value, to produce an n-bit output.

C. Second Example Implementation TCT₂.

The second example implementation TCT₂ provides beyond birthday-boundsecurity. For this implementation, the size of the N-bit TBC {tilde over(F)} is N=2n. The 2n-bit TBC {tilde over (F)} uses a variation of CDMScomponent, which includes several n-bit TBCs as part of CLRW2 componentsto provide beyond-birthday-bound security. The tweak space is extendedusing NH, with range of NH set to {0,1}^(2n). Ultimately, setting {tildeover (F)}=CDMS[CLRW2]^(NH) is secure against up to around 2^(2n/3)queries. The CLRW2 component also is used in a beyond birthday-boundsecure VILTC component, namely {tilde over (V)}=TCTR[CLRW2[E, H]], atleast for l=o(q^(1/4)). TCT₂ supports τn-bit tweaks and has domain{0,1}^({2n,2n+1, . . . , ln}).

FIGS. 6a-6c illustrate components of the second example implementationTCT₂ (600), which takes a tweak T and message X as inputs. The message Xis split into blocks X₁, X₂, . . . , X_(v), where the length of the allblocks except the last block X_(v) is n, and the length of the lastblock X_(v) is less than or equal to n. The length of the message X isbetween 2n and l n bits. TCT₂ produces an output string Y=Y₁, Y₂, . . ., Y_(v). The block size of the FIL components is N=2n. For k, l, n, τ>0,E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher. TCT₂=PIV[{tilde over(F)}, {tilde over (V)}], where the 2n-bit TBC {tilde over (F)} and VILTC{tilde over (V)} are set as follows.

The n-bit TBC {tilde over (F)}=CDMS[CLRW2[polyH^(6n),E]]^(NH[(l+τ−1)n,4n]). That is, the 2n-bit TBC {tilde over (F)} is aCDMS[CLRW2[polyH^(6n), E]] component with its tweak space extended usingNH. The key space for {tilde over (F)} is{0,1}^(2k)×{0,1}^(12n)×{0,1}^((l+τ−1)n), with key k′ being partitionedinto two keys for E, two keys for polyH^(6n), and a key for NH[ln, 4n].The tweak space for {tilde over (F)} is {0,1}^(τn).

FIG. 6a shows a first 2n-bit TBC {tilde over (F)}′_(K′) (620) thataccepts a tweak input (610) and message input. The message input is thefirst two n-bit blocks X₁ and X₂. The tweak input (610) is a tweak valueT concatenated with a padded version of the remaining blocks of themessage X. The first 2n-bit TBC {tilde over (F)}′_(K′) (620) produces a2n-bit IV (638).

FIG. 6a also shows a second n-bit TBC {tilde over (F)}′_(K′) (620) thataccepts a tweak input (660) and message input. The message input is the2n-bit IV (638). The tweak input (660) is the tweak value T concatenatedwith a padded version of blocks Y₃ . . . Y_(v) of the variable-lengthoutput string Y. The second 2n-bit TBC {tilde over (F)}′_(K′) (520)produces the first two blocks Y₁ and Y₂ of the variable-length outputstring Y.

FIG. 6b shows details of a 2n-bit TBC {tilde over (F)}′_(K′) (620). TheNH function (621) accepts a tweak value with (l+r−1)×n bits and producesa tweak value T′ with 4n bits. The 2n-bit input, which varies betweenthe first 2n-bit TBC {tilde over (F)}′_(K′) (X₁ and X₂) and second2n-bit TBC {tilde over (F)}′_(K′)(the 2n-bit IV), is split into twon-bit inputs. The first n-bit input is provided to a firstCLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622), which alsoaccepts a 6n-bit tweak value. The 6n-bit tweak value is determined byconcatenating a padded version of the 4n-bit tweak value T′ (padded withn zero bits out to a length of 5n bits) and the second n-bit input. Thefirst CLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622) producesan n-bit output value, which is concatenated after a padded version ofthe 4n-bit tweak value T′ (padded with n zero bits out to a length of 5nbits) to form a 6n-bit tweak value for the second CLRW2[polyH^(6n),{tilde over (E)}_(K)] component (622). The second CLRW2[polyH^(6n),{tilde over (E)}_(K)] component (622), which also accepts the secondn-bit input, produces an n-bit output. Similarly, a thirdCLRW2[polyH^(6n), {tilde over (E)}_(K)] component (622) processes then-bit output value from the first CLRW2 component (622) and a 6n-bittweak value (formed as shown in FIG. 6b ), producing another n-bitoutput. The n-bit outputs from the second and third CLRW2 components(622) are concatenated into a 2n-bit output of the CDMS component (620).

FIG. 6c shows details of CLRW2[polyH^(rn), {tilde over (E)}_(K)]component, where r can be 6 (as in the components (622) of FIG. 6b ) or2 (as in the components (640) of FIG. 6a ). The first polyH^(rn)function (642) produces an n-bit tweak value from an input r·n-bit tweakvalue. The first block cipher (643) (with key K1) encrypts the n-bittweak value XOR'd with an n-bit input value. The output of the firstblock cipher (643) is then XOR'd with the n-bit tweak value, to producean n-bit intermediate value. The second polyH^(rn) function (642)produces an n-bit tweak value from the input r·n-bit tweak value. Thesecond block cipher (643) (with key K2) encrypts the n-bit tweak valueXOR'd with the n-bit intermediate value. The output of the second blockcipher (643) is then XOR'd with the n-bit tweak value, to produce ann-bit output value.

The VILTC {tilde over (V)}=TCTR [CLRW2[polyH^(2n),E]]. For the TCTRfunction,

: {0,1}^(n)×

→{0,1}^(n), as

(T, i)=T. The key space for {tilde over (V)} is {0,1}^(2k)×{0,1}^(4n),with key K being partitioned into two keys for E and two keys forpolyH^(2n). The tweak space for {tilde over (V)} is {0,1}^(2n), and itsdomain is {0,1}^({0,1,2, . . . , (l−2)n}). TCT₂ uses 4k+(l+r+15)n bitsof key material.

As shown in FIG. 6a , the TCTR for VILTC {tilde over (V)} is implementedas a series of components TBC {tilde over (F)}_(K) (640). Each TBC{tilde over (F)}_(K) (640) is implemented as CLRW2[polyH^(2n), {tildeover (E)}_(K)] component. Each TBC {tilde over (F)}_(K) (640) accepts,as tweak input, the 2n-bit IV (638). Each TBC {tilde over (F)}_(K) (640)also accepts, as message input, an n-bit padded counter value

i

, for 0≤i≤v−3. The n-bit output of each TBC {tilde over (F)}_(K) (640)is XOR'd with an n-bit block X_(i+3) of the message X to produce a blockY_(i+3) of the variable-length output string Y. FIG. 6c details aCLRW2[polyH^(rn), {tilde over (E)}_(K)] component for TBC {tilde over(F)}_(K) (640), where r=2.

D. Variations and Practical Considerations.

This section describes several variations of TCT₁ and TCT₂. None ofthese changes significantly impact the security bounds for theseimplementations, unless otherwise noted.

Reducing the number of block cipher keys. In the case of TCT₁, a singlekey can be used for both LRW2 instances, provided that domain separationis enforced through the tweak. This allows use of a single key for theunderlying block cipher, which in some situations may allow forsignificant implementation benefits (for example, by allowing a singleAES pipeline). One method that accomplishes this is to replaceLRW2[polyH^(2n), E]^(NH[(l+1)n,2n]) with LRW2[polyH^(3n), E]^(ƒ(ϵ,⋅))and LRW2[polyH^(n), E] with LRW2[polyH^(3n), E]^(ƒ(⋅,ϵ)). Here, ƒ is a2^(−n)-AU function with key space {0,1}^(3n)×0,1^(ln), taking inputs ofthe form (X, ϵ) (for some X ∈ {0,1}^(n)) or (ϵ, Y) (for some Y ∈{0,1}^({0,1, . . . , ln})), and outputting a 3n-bit string. Let ƒ_(L)(X,ϵ)=0^(2n)∥X and ƒ_(L)(ϵ, Y)=1^(n)∥NH[(l+1)n, 2n]_(L)(Y). The function ƒdescribed here is a mathematical convenience to unify the signatures ofthe two LRW2 instances, thereby bringing tweak-based domain separationinto scope; in practice, the two instances can be implementedindependently, save for a shared block cipher key. TCT₂ can be modifiedin a similar manner to require only two block cipher keys.

Performance improvements. For a FIL TBC, NH[ln, 2n] can be used in placeof NH[(l+1)n, 2n] by adjusting the padding scheme appropriately. Also,in the TCTR portion for the second example implementation TCT₂, thepolyH functions can be computed once per CLRW2 component, since eachLRW2 invocation uses the same tweak.

One possible implementation of TCT₂ uses 72 finite field multiplicationsduring the two FIL phases (a result of evaluating polyH^(6n) twelvetimes). Alternatively, an implementation can cache an intermediate valueof the polyH^(6n) hash used inside of CDMS (four n-bit tweak blocks areconstant per invocation), which saves 32 finite field multiplications.Pre-computing the terms of the polynomial hash corresponding to thedomain-separation constants eliminates 12 more multiplications, leaving28 in total. Four more are used during the VIL phase, giving a count of32.

Handling large message spaces. Both TCT₁ and TCT₂ are designed with FDEapplications in mind. In particular, they use a value l that is fixedahead of time, and use more than ln bits of key material. Theselimitations are a consequence of using the NH hash function. A simpleextension to NH, however, accommodates arbitrarily long strings. For apositive integer r, NH*_(L)(M₁M₂ . . . M_(v))=NH_(L)(M₁)∥NH_(L)(M₂)∥ . .. ∥NH_(L)(M_(v))∥

|M|mod rn

, where |M_(i)|=rn for i<v, |M|≤rn and NH_(L) abbreviates NH_(L)[rn,2N]. Thus defined, NH* is 2^(−N)-almost universal, has domain {0,1}*,and requires rn bits of key material. This modification shifts some ofthe weight to the polyH hash. Eight extra finite field multiplicationsare used for each additional rn bits of input.

With these modifications, the final two terms in TCT₁'s security bound(see section 7) become 8q²/2^(n)+600q²l²/r²2^(n)+4q²(l−1)²/2^(n), whereln is now the length of the adversary's longest query, l>2.5r, and theremaining terms measure the (S)PRP security of the underlying blockcipher. Assuming 2^(n)≥rn, |M| mod rn can be encoded within a singlen-bit block. Although the constant of 600 is large, setting r=16, forexample, reduces it to a more comfortable size—in this case to less thanthree. The bound for TCT₂ changes in a similar manner. (Also, if2^(n−2)≥rn, a single n-bit block can be used for both the tweakdomain-separation constants and

|M|mod rn

.)

Beyond birthday-bound security for long messages. When l is not boundedto some small or moderate value. TCT₂ no longer providesbeyond-birthday-bound security. The problematic term in the securitybound is q(l−1)²/2^(n). To address this, a different per-block tweakfunction can be used in the TCTR procedure. In particular

(T, i)=T∥

i

. In the nonce-respecting case, the underlying TBC {tilde over (E)} isthen re-tweaked with a never-before-seen value on each message block. If{tilde over (E)} were to be replaced by an ideal cipher Π, in thenonce-respecting case, every block of plaintext would be masked by theoutput of a fresh random permutation. In other words, every blockreturned will be uniformly random. Thus, a tight bound is expected inthis case. Alternatively, one could use Z_(i)←0^(n), and the same wouldbe true.

E. Instantiating VILTCs with Protected IV Using Conventional Encryption.

Alternatively, the VILTC {tilde over (V)} can be realized directly usingconventional block cipher-based encryption. Consider the followingimplementations of {tilde over (V)} and {tilde over (V)}⁻¹.

$\underset{\_}{{procedure}\mspace{14mu}{{\overset{\sim}{V}}_{K}\left( {T,X} \right)}\text{:}}$$X_{1},X_{2},\ldots\mspace{14mu},{X_{b}\overset{n}{\longleftarrow}X}$for  i = 1  to  b Y_(i) ← E_(K)(⟨T + i⟩) ⊕ X_(i)Return  Y₁, Y₂, …  , Y_(b)$\underset{\_}{{procedure}\mspace{14mu}{{\overset{\sim}{V}}_{K}^{- 1}\left( {T,Y} \right)}\text{:}}$$Y_{1},Y_{2},\ldots\mspace{14mu},{Y_{b}\overset{n}{\longleftarrow}Y}$for  i = 1  to  b X_(i) ← Y_(i) ⊕ E_(K)(⟨T + i⟩) Return  X₁, …  , X_(b)$\underset{\_}{{procedure}\mspace{14mu}{{\overset{\sim}{G}}_{K}\left( {T,X} \right)}\text{:}}$$X_{1},X_{2},\ldots\mspace{14mu},{X_{b}\overset{n}{\longleftarrow}X}$$\left. \overset{\_}{K}\leftarrow{f_{K}(T)} \right.$ for  i = 1  to  b$\left. Y_{i}\leftarrow{{E_{\overset{\_}{K}}\left( \left\langle {T + i} \right\rangle \right)} \oplus X_{i}} \right.$Return  Y₁, Y₂, …  , Y_(b)$\underset{\_}{{procedure}\mspace{14mu}{{\overset{\sim}{G}}_{K}^{- 1}\left( {T,Y} \right)}\text{:}}$$Y_{1},Y_{2},\ldots\mspace{14mu},{Y_{b}\overset{n}{\longleftarrow}Y}$$\left. \overset{\_}{K}\leftarrow{f_{K}(T)} \right.$ for  i = 1  to  b$\left. X_{i}\leftarrow{Y_{i} \oplus {E_{\overset{\_}{K}}\left( \left\langle {T + i} \right\rangle \right)}} \right.$Return  X₁, …  , X_(b)

This implementation of the VILTC {tilde over (V)} uses counter-modeencryption, but with the initial value T surfaced as an input to make ita tweakable cipher. Unfortunately, this implementation of the VILTC{tilde over (V)} lacks SRND-security against nonce-respectingadversaries. Nonetheless it can be modified as follows with security

${(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}}\text{:}\mspace{14mu}{A^{{\overset{\sim}{E}}_{K}}( \cdot )}}\Rightarrow 1 \right\rbrack} - {{\Pr\left\lbrack A^{{\${( \cdot )}},{\${( \cdot )}}}\Rightarrow 1 \right\rbrack}.}}$Given {tilde over (E)} with tweak space

and message space

, the oracle

_(K) takes a query X ∈

and: (1) samples

${T\overset{\$}{\longleftarrow}{??}},$(2) returns E_(K)(T, X). Oracle

_(K) ⁻¹ behaves likewise on input Y ∈

, sampling

$T\overset{\$}{\longleftarrow}{??}$and returning E_(K) ⁻¹(T, Y).VI. Authenticated Encryption/Decryption with Associated Data UsingVILTCs.

Authenticated encryption with associated data (“AEAD”) provides a way toauthenticate messages that are sent with headers. For example, when aplaintext message is transformed into ciphertext in a way that protectsits privacy and authenticity, there may be a packer header or otherauxiliary information that accompanies the message and should beauthenticated with the message. If a message is augmented with a nonceand redundancy, one can obtain authenticated encryption by passing theencoded message directly through an SPRP-secure block cipher with asufficiently large domain.

This section describes ways to implement AEAD using VILTC components.The VILTC components can include VILTC components with protected IVs orVILTC components without protected IVs. In particular, this sectionidentifies the salient properties of the mapping from header-messagepairs (H, M) to tweakable cipher inputs (T, X). In addition to itssimplicity, there are several practical advantages of implementing AEADwith VILTCs.

Authenticated encryption with VILTCs admits associated data and canwithstand nonce-misuse. The tweak can be used effectively to bind amessage header to the ciphertext.

Additionally, one can explore the effects of randomness, state orredundancy present in the message and the header inputs. For example,randomness and state can be shifted to the header without loss ofsecurity, potentially reducing the number of bits that must be processedcryptographically. In particular, this can reduce bandwidth overhead byleveraging nonces, randomness and redundancy already present inplaintext inputs. Messages in protocols that include sequence numbers,human-readable fields, or padding often contain useful nonces andredundancy.

AEAD with VILTCs also allows for multiple decryption error messages,while remaining robust against side-channel attacks that seek to exploitthem (e.g., padding oracles). Use of multiple descriptive error messagescan be quite useful in practice, but has often empowered damagingattacks. These attacks fail against AEAD schemes with VILTCs because,loosely, changing any bit of a ciphertext will randomize every bit ofthe decrypted plaintext string. Thus, AEAD with VILTCs offers robustnesseven in the face of certain side channels and common implementationmistakes. Descriptive error messages (e.g., bad_padding orbad_seq_number) cannot be leveraged to forge useful future ciphertext.Further, nonce repetitions only leak equality of plaintext.

This AEAD approach also works for FPE. To transparently insert anencryption layer into legacy systems (e.g., to database schemas orprotocol specifications) with minimal changes, FPE uses ciphertext thathas the same format as plaintext. For example, both might be restrictedto the set Σ^(n), for some (often non-binary) alphabet Σ. This precludesinserting dedicated IVs into ciphertext. One can compensate by usingassociated data to tweak encryption, making tweakable ciphers and theirsecurity definitions a natural fit. Unique associated data guaranteesprivacy in a more standard sense, and checking redundancies (such ascredit card issuer Identification Numbers and checksums) providesauthenticated encryption.

In general, given a header H and a message M, an AEAD scheme with aVILTC encodes (H, M) into a tweakable cipher input (T, X). For a Nonceof some fixed length, suppose T=Nonce∥H, and X=Nonce∥M. The header H istransmitted. The ciphertext cannot simply be C={tilde over (E)}_(K)(T,X), however, because the Nonce value is also needed for decryption. So,the ciphertext should be (Nonce, C). In this example, T=Nonce∥H was anencoded header, and X=Nonce∥M was an encoded message. The symbols T andX are replaced with H and M, respectively. The mapping from H toH=Nonce∥H is non-deterministic, but can be completely reproducedprovided one knows Nonce, which acts as reconstruction information. Themessage encoding function uses the reconstruction information, andtherefore has a different signature than the header encoding function.Also, the reconstruction information should not depend on M. Therecipient computes M={tilde over (E)}_(K) ⁻¹(H, C), and verifies thatNonce is a prefix of M in M=Nonce∥M.

More formally, an AEAD scheme is a tuple Ψ=(

,ϵ,

) consisting of a key-generation algorithm

, an encryption algorithm ϵ, and a decryption algorithm

. For simplicity, the key-generation algorithm

is assumed to sample a key from a non-empty set of the same name. Theencryption algorithm, which may be randomized or stateful, is a mappingϵ:

×

×

→

×{0,1}*. Thus, encryption takes a key K ∈

, a header H ∈

⊂ {0,1}*, and a message M ∈

⊂ {0,1}*, and returns some reconstruction information R ∈

, along with ciphertext C.

$\left( {R,C} \right)\overset{\$}{\longleftarrow}{ɛ_{K}\left( {H,M} \right)}$represents running ϵ_(K) on (H, M), which returns (R, C). Thedeterministic decryption algorithm is a mapping

:

×

×

×{0,1}*→

∪Errors, where Errors is a set such that

∩Errors=∅. (|Errors| need not equal 1.) For proper operation, Pr[

_(K)(H, ϵ_(K)(H, M))=M]=1 for all K ∈

, H ∈

and M ∈

. If ϵ is stateful, this holds for all states.

In practice, the header H is typically transmitted in the clear alongwith the ciphertext (e.g., when the header is needed for routing), butAEAD schemes with VILTCs may also encode H into some related H forinternal use. If this encoding is non-deterministic, the reconstructioninformation R delivers whatever is used by decryption to properlyreconstruct this H from H. For example, R may consist of a counter, somerandom bits, or some redundancy. It may also be the empty string.

To avoid constructions that are trivially insecure by virtue of writingmessage or key bits into R, the following conditions apply. Given anysequence of inputs {(H_(i), M_(i))}_(1≤q) and any two sequences ofpossible outcomes {(R_(i), C_(i))}_(i≤q) and {(R′_(i), C′_(i))]_(i≤q),then for any

${{H \in \mathcal{H}},M,{M^{\prime} \in \mathcal{M}},K,{K^{\prime} \in {??}},{{{and}\mspace{14mu} r} \in \mathcal{R}},{{\Pr\left\lbrack {R = {{r\top{ɛ_{K}\left( {H_{i},M_{i}} \right)}} = {{\left( {R_{i},C_{i}} \right)\mspace{14mu}{for}\mspace{14mu} i} \leq q}}} \right\rbrack} = {\Pr\left\lbrack {R^{\prime} = {\left. r \middle| {ɛ_{K^{\prime}}\left( {H_{i}^{\prime},M_{i}^{\prime}} \right)} \right. = {{\left( {R_{i}^{\prime},C_{i}^{\prime}} \right)\mspace{14mu}{for}\mspace{14mu} i} \leq q}}} \right\rbrack}},{{where}\mspace{14mu}{\left( {R,C} \right)\overset{\$}{\longleftarrow}{ɛ_{K}\left( {H,M} \right)}}\mspace{14mu}{and}\mspace{14mu}{\left( {R^{\prime},C^{\prime}} \right)\;\overset{\$}{\longleftarrow}{ɛ_{K}\left( {H,M^{\prime}} \right)}}},}\;$the states of ϵ_(K) and ϵ_(K′) being conditioned on the two transcripts,respectively. That is, R (hence, R′) can depend only on H, q, and coinstossed by ϵ_(K) on the query that generates R.

By allowing |Errors|>1, an AEAD scheme can return multiple, distincterror messages. This can be useful in practice, for example, fordiagnostics within a protocol session.

Ideally, ciphertext is indistinguishable from random bits.Reconstruction information might not be random (e.g., R might be acounter), however, so the usual IND$-CPA notion is modified. To bespecific, the privacy of an AEAD scheme Ψ is measured via the followingadvantage:

${{Adv}_{\Psi}^{priv}(A)} = {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}};\left. A^{ɛ_{K}{(\because)}}\Longrightarrow 1 \right.} \right\rbrack} - {{\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}};\left. A^{\$_{K}{(\because)}}\Longrightarrow 1 \right.} \right\rbrack}.}}$$_(K)(⋅,⋅) is an oracle that, on input (H, M), computes

${\left( {R,C} \right)\overset{\$}{\longleftarrow}{ɛ_{K}\left( {H,C} \right)}},$samples

${Y\overset{\$}{\longleftarrow}\left\{ {0,1} \right\}^{C}},$and returns (R, Y). The authenticity goal is the integrity ofciphertext. Namely,

${{{Adv}_{\Psi}^{{int} - {ctxt}}(A)} = {\Pr\left\lbrack {{K\overset{\$}{\longleftarrow}{??}};{A^{{ɛ_{K}{(\because)}},{{??}_{K}{({\because \cdot})}}}{Forges}}} \right\rbrack}},$where the Boolean event Forges is true if and only if A asks a query (H,R, C) to its

_(K) oracle such that (1)

_(K)(H, R, C) ∉ Errors, and (2) no prior query to ϵ_(K)(⋅,⋅) returned(H, R, C). Without loss of generality, A halts as soon as Forges becomestrue.

A. Encoding and Decoding Schemes.

Informally, an encoding algorithm reformats its input, and injectsrandomness, state or redundancy, while a decoding algorithm validatesand distills out the original input data.

More formally, in example implementations, the AEAD scheme (andcorresponding decryption) use a message space

, a header space

, an encoded message space

⊂ {0,1}*, and an encoded header

⊂ {0,1}*. These sets are non-empty, but could equal {ϵ}. For a setErrors, Errors ∩

=∅.

A header encoding function Encode_(H):

→

maps headers to encoded headers, possibly in some random or statefulfashion. There are a non-empty set

and a bijection

⋅,⋅

:

×

→

with the property that for all H, Encode_(H)(H)=

R, H

for some R ∈

. In other words, H can be recovered from Encode_(H)(H), and anyparticular output of Encode_(H)(H) can be reconstructed from H given thecorresponding R. Encode_(H) is (

,

,

)-encoder (leaving

⋅,⋅

implicit).

A message encoding scheme EncodeMsg=(Encode_(M), Decode_(M)) consists ofa message encoding function Encode_(M):

×

→

and a message decoding function Decode_(M):

×

→

∪Errors. Encode_(M) can be randomized or stateful. Decode_(M)(H, M)=M ∈

if and only if Pr[Encode_(M)(H, M)=M]>0 for some state of Encode_(M);otherwise, Decode_(M)(H, M) ∈ Errors. It is possible, for example, forDecode_(M)(H, M)=(⊥, H, M) ∈ Errors). The Decode_(M) algorithm isdeterministic, and all algorithms should run in linear time. EncodeMsgis a (

,

,

,

, Errors)-encoding scheme.

The encoding functions have an associated maximal stretch. This isdefined to be the smallest s ∈

such that, for all H ∈

, H ∈

, and M ∈

, |Encode_(H)(H)|≤|H|+s and |Encode_(M)(H, M)|≤|M|+s.

One key property of the encoding mechanisms relates to the likelihoodthat an encoding scheme can be made to repeat outputs. Let A be anadversary that asks q queries (not necessarily distinct) to an oracle ƒ,receiving Y ₁, Y ₂, . . . , Y _(q) in response, and that halts byoutputting these values. (ƒ can be a message- or header-encodingfunction.) A can be assumed to be deterministic. δ:

→[0,1] is a function. ƒ is (d, δ)-colliding if Pr[A^(ƒ)

(Y ₁, Y ₂, . . . , Y _(q)):∃i₁<i₂< . . . <i_(d) such that Y _(i) ₁ =Y_(i) ₂ = . . . =Y _(i) _(d) ]≤δ(q), This notion is only defined for d≥2.Given a (d, δ)-colliding oracle, it can be assumed that δ(0)=δ(1)=0.

A second key property captures the probability that a random string (ofa given length) is a valid encoding. In essence, this is a measure ofthe density of encodings. ∈ ∈

is a real number. The (

,

,

,

, Errors)-encoding scheme EncodeMsg=(Encode_(M), Decode_(M)) is ∈-sparseif for all positive integers n and all H ∈

, |{C ∈ {0,1}^(n): Decode(H, C) ∉ Errors}|/2^(n)≤∈.

B. AEAD Via Encode-Then-Encipher, Corresponding Decipher-Then-Decode.

FIG. 7 shows a generalized technique (700) for authenticated encryptionwith associated data using a VILTC. An encryption system performs thetechnique (700).

The encryption system receives (710) a header and a message. Theencryption system processes (720) the message using a VILTC to provideauthenticated encryption with associated data. The VILTC uses aprotected IV. Alternatively, the VILTC is a conventional VILTC. A tweakfor the VILTC is based at least in part on the header. The processingproduces an encrypted message. The encryption system outputs (730) theheader and the encrypted message.

For example, as part of the processing (720) of the message, theencryption system determines a modified header using the header andreconstruction information, then determines a modified message using themessage and the modified header. The encryption system encrypts themodified message using the VILTC, with the modified header providing thetweak for the VILTC. The encryption system outputs (730) thereconstruction information along with the header and encrypted message.

The encryption system can repeat the technique (700) for one or moreother messages.

FIG. 8 shows a generalized technique (800) for authenticated decryptionwith associated data using a VILTC. A decryption system performs thetechnique (800).

The decryption system receives (810) a header and an encrypted message.The decryption system processes (820) the encrypted message using aVILTC to provide authenticated decryption with associated data. TheVILTC uses a protected IV. Alternatively, the VILTC is a conventionalVILTC. A tweak for the VILTC is based at least in part on the header.The processing produces a decrypts message, which the decryption systemoutputs (830).

The decryption system can also receive reconstruction information. Aspart of the processing (820) of the encrypted message, for example, thedecryption system determines a modified header using the header and thereconstruction information, then decrypts the encrypted message usingthe VILTC, with the modified header providing the tweak for the VILTC,thereby producing a modified message. The decryption system determinesthe message using the modified message and the modified header.

Optionally, for an authentication step, the decryption system checks tosee if the message is valid. For example, if a pre-determined number of“0” bits have been appended to a message during encryption, thendecryption can check for the presence of those bits. If this checkfails, then decryption outputs an error. There may be multiple differentchecks for a message to pass, and the output error(s) may vary dependingon which (combination of) checks fail. (This is the “authenticated” partof “authenticated encryption”—if an attacker tampers with an encryptedmessage, it will likely no longer be valid once decrypted.)

The decryption system can repeat the technique (800) for one or moreother messages.

More formally, in example implementations, {tilde over (E)}:

×

×

→

is a tweakable cipher. Encode_(H) is a (

,

,

)-encoder, and EncodeMsg=(Encode_(M), Decode_(M)) is an (

,

,

,

, Errors)-encoding scheme, for some non-empty sets

,

, and

. From these, an encode-then-encipher AEAD schemeΨ[Encode_(H),EncodeMsg, E] is defined as follows.

$\underset{\_}{{procedure}\mspace{14mu}{ɛ_{K}\left( {H,M} \right)}\text{:}}$$\left. \overset{\_}{H}\leftarrow{\left\langle {R,H} \right\rangle\overset{\$}{\longleftarrow}{{Encode}_{H}(H)}} \right.$$\overset{\_}{M}\overset{\$}{\longleftarrow}{{Encode}_{M}\left( {\overset{\_}{H},M} \right)}$${{Return}\mspace{14mu} R},{{\overset{\sim}{E}}_{K}\left( {\overset{\_}{H},\overset{\_}{M}} \right)}$$\underset{\_}{{procedure}\mspace{14mu}{{??}_{K}\left( {H,R,C} \right)}\text{:}}$$\left. \overset{\_}{H}\leftarrow\left\langle {R,H} \right\rangle \right.$$\left. \overset{\_}{M}\longleftarrow{{\overset{\sim}{E}}_{K}^{- 1}\left( {\overset{\_}{H},C} \right)} \right.$${Return}\mspace{14mu}{{Decode}_{M}\left( {\overset{\_}{H},\overset{\_}{M}} \right)}$

Reconstruction information R allows decryption to reconstruct H from theheader (in lieu of sending H as part of the ciphertext, or forcing thecalling application to replace H with H.)

As a simple example, Encode_(H) prepends an 64-bit counter R to theheader H, and Encode_(M)(H, M) returns M∥0⁸⁰. Then Encode_(H) is(2,0)-colliding, and Encode_(M) is 2⁻⁸⁰ -sparse (but (2,1)-colliding).Authenticity checks implicitly take place inside the Decode_(M)function.

VII. Explanation of Results.

This section provides a detailed justification for the results presentedabove.

Theorem 1—Security for VILTC with Protected IV. A VILTC with a protectedIV still includes a VILTC module within it. The VILTC with a protectedIV has a larger domain, and the N-bit TBC provide advantages in terms ofsecurity.

For tweak spaces and message spaces (

,

,

,

) as defined in section IV, and for TBC length N, {tilde over (F)}:

′×

′×{0,1}^(N)→{0,1}^(N) is a tweakable block cipher, and {tilde over (V)}:

×{0,1}^(N)×

→

is a VILTC. PIV[{tilde over (F)}, {tilde over (V)}]: (

′×

)×

T×

→

. A is an adversary making q<2^(N)/4 queries totaling μ bits and runningin time t. For adversaries B and C, making q and 2q queries,respectively, and both running in O(t) time,

${{(A)} \leq {{(B)} + {(C)} + \frac{4\; q^{2}}{2^{N}}}},$where B is nonce-respecting and whose queries total μ−qN bits in length.

The VIL portion {tilde over (V)} of the PIV composition needs to beSRND-secure against only nonce-respecting adversaries. It is easy tobuild efficient schemes meeting this requirement. Only the fixed-inputlength (“FIL”) portion {tilde over (F)} needs to be secure against STPRPadversaries that can use arbitrary querying strategies. Thus the PIVcomposition promotes nonce-respecting security over a large domain intofull STPRP security over a slightly larger domain. If {tilde over (F)}is a good STPRP, then if any part of T or X is “fresh,” the string forthe IV should be random. Hence, it is unlikely that an IV value isrepeated, and so nonce-respecting security of the VIL component isenough. The same holds when deciphering, if any part of T, Y is “fresh.”

The term 4q²/2^(N) accounts for collisions in IV and the differencebetween {tilde over (F)} and a random function. This is a birthday-boundterm in N, the block size of {tilde over (F)}. Since most TBC designsemploy (one or more) underlying block ciphers, the block size N of{tilde over (F)} can be larger than the block size n of some underlyingblock cipher upon which it might be built. Indeed, given an n-bit blockcipher (and a hash function), {tilde over (F)} can be built with N=2n.

If one removes the lower {tilde over (F)} invocation (after {tilde over(V)}) and returns IV∥Y_(R), the resulting composition does notgenerically deliver a secure STPRP. On the other hand, it is secure as aTPRP (just not a strong TPRP). For a message space {0,1}^(S)(S ⊂

), a tweak space

, and a non-negative integer n≤min(S), let A be an adversary making atmost q queries and running in time t.

${(A)} \leq {{(A)} + {\frac{q\left( {q - 1} \right)}{2^{{\min{(S)}} + 1}}.}}$This result is essentially a PRF-PRP switching lemma for TBCs, andreduces the problem to that of bounding

Consider

${{ɛ\left\lbrack \overset{\sim}{V} \right\rbrack} = {{PIV}\left\lbrack {\overset{\sim}{V},\Pi} \right\rbrack}},{{{where}\mspace{14mu}\Pi}\overset{\$}{\leftarrow}{{BC}(N)}}$is an ideal cipher. The oracles in Game 1 (“G1”) (shown in FIG. 9)simulate ϵ[{tilde over (V)}] and ϵ[{tilde over (V)}]⁻¹ using lazysampling to define Π, so Pr[A^(ϵ[{tilde over (V)}],ϵ[{tilde over (V)}])⁻¹

1]=Pr[G1(A)

1]. In FIG. 9, Game 1 includes the boxed statements.

In Game 2 (“G2”) (also shown in FIG. 9), “illegal” values are no longerresampled when defining Π. In FIG. 9, Game 2 does not include the boxedstatements. The only changes in the code occur after a Boolean “bad”flag is set to true; by the Fundamental Lemma of Game-Playing:

(A)≤(Pr[G2(A)

1]−Pr[A ^($(⋅,⋅),$(⋅,⋅))

1])+Pr[G2(A);bad₁

bad₂

bad₃].In Game 2, {tilde over (V)} is never queried using the same tweak twice,and the oracles in the game return values with a random n-bit prefix. InGames 1 and 2, Boolean variables are initialized to false.

In a third Game (“G3”) (not shown in FIG. 9), {tilde over (V)} isreplaced by an oracle $(⋅,⋅) that always returns a random string equalin length to its second input. By a standard argument there exists somenonce-respecting adversary B making q queries and running in

(t) time such that:Pr[G2(A)

1]−Pr[G3(A)

1]≤

(B).This leads to:

(A)≤(Pr[G3(A)

1]−Pr[A ^($(⋅,⋅),$(⋅,⋅))

1])+Pr[G2(A); bad₁

bad₂

bad₃]+

(B).Each the first N bits of each oracle output (corresponding to Z′_(i))are always uniformly random in Game 2. When {tilde over (V)} switches to$(⋅,⋅) in Game 3, the remaining bits also become uniformly random. HencePr[G3(A)

1]=Pr[A^($(⋅,⋅),$(⋅,⋅))

1].

The final task is to bound the probability that A sets a bad flag inGame 2. The probability that bad₁ is set during query j is less thanj/(2^(N)−2j). Similarly, the probabilities of bad₂ and bad₃ being setare at most 2j/(2^(N)−2j) and 2^(j)/2^(N), respectively. Therefore, theprobability that at least one flag is set during query j is at most3j/(2^(N)−2j)+2j/2^(N).

Taking the union bound over j ∈ 1,2, . . . , q yields Pr[G1(A);

$\left. {{bad}_{1}\bigvee{bad}_{2}\bigvee{bad}_{3}} \right\rbrack \leq {{q^{2}\left( {\frac{1.5}{2^{N} - {2q}} + \frac{1}{2^{N}}} \right)}.}$Since q<2^(N)/4, 1.5/(2^(N)−2q)<3/2^(N). With the previous results,using a standard argument to return to the computational settingcompletes the proof:

${{(A)} \leq {{(B)} + {(C)} + \frac{4\; q^{2}}{2^{N}}}},$where C makes 2q queries, B makes q queries of total length μ−qN bitswithout repeating a tweak, and both run in

(t) time.

Theorem 2—TCTR. Consider the behavior of the procedure TCTR when

(T, i)=T. The TBC {tilde over (E)}: {0,1}^(k)×

×{0,1}^(n)→{0,1}^(n), and TCTR[{tilde over (E)}]_(K) and TCTR[{tildeover (E)}]_(K) ⁻¹ are defined as in the TCTR pseudocode listings ofsection V, with

(T, i)=T ∈

. A is a nonce-respecting adversary that runs in time t and asks qqueries, each of length at most ln bits (so, μ≤zln). Then, for someadversary B making at most ql queries and running in time

(t),

_([{tilde over (E)}])(A)≤

(B)+0.5ql²/2^(n). The bound displays birthday-type behavior whenl=o(√{square root over (q)}), and is tightest when l is a smallconstant. An important application with small, constant l is full-diskencryption. Here plaintext X would typically be 4096 bytes long, so ifthe underlying TBC has block size n=128, there are roughly l=256 blocks.

Theorem 3—STPRP Security of TCT₁. For TCT₁ defined as in section V.B, Ais an adversary making q<2/4 queries and running in time t. AdversariesB and C, both running in time

(t), make (l−1)q and 2q queries respectively, such that

[ E ] ⁢ ( A ) ≤ Adv E prp ⁡ ( B ) + Adv E sprp ⁡ ( C ) + 32 ⁢ ⁢ q 2 2 n + 4 ⁢ ⁢q 2 ⁡ ( ℓ - 1 ) 2 2 n .It follows that:

[ E ] ⁢ ( A ) ≤ 4 ⁢ ⁢ q 2 2 n + ⁢ ( t ′ , q ) + Adv F ~ sprp ⁡ ( t ′ , 2 ⁢ q )≤ 4 ⁢ q 2 2 n + [ q ⁡ ( ℓ - 1 ) 2 2 n + [ polyH n , E ] ⁢ ( t ′ , ( ℓ - 1 )⁢q ) ] +   [ 24 ⁢ q 2 2 n + 4 ⁢ q 2 2 n + Adv E sprp ⁡ ( t ′ , 2 ⁢ q ) ] ≤ 4 ⁢q 2 2 n + [ q ⁡ ( ℓ - 1 ) 2 2 n + 3 ⁢ q 2 ⁡ ( ℓ - 1 ) 2 2 n + Adv E prp ⁡ (( ℓ - 1 ) ⁢ q , t ′ ) ] + [ 28 ⁢ q 2 2 n + Adv E sprp ⁡ ( t ′ , 2 ⁢ q ) ] ≤32 ⁢ q 2 2 n + q ⁡ ( ℓ - 1 ) 2 2 n + 3 ⁢ q 2 ⁡ ( ℓ - 1 ) 2 2 n + Adv E prp ⁡( ( ℓ - 1 ) ⁢ q , t ′ ) + Adv E sprp ⁡ ( t ′ , 2 ⁢ q ) .

This algorithm requires 2k+(3+τ+l)n bits of key material, including twokeys for {tilde over (E)}. A single key for E may suffice, however, withno significant damage to the security bound, although this improvementis motivated primarily by performance concerns. Thus, the TCT₁implementation retains the security of previous constructions, and usesarithmetic in rings with powers-of-two moduli, rather than in a finitefield. This may potentially improve performance in some architectures.

Theorem 4—STPRP Security of TCT₂. For TCT₂ defined as in section V.C, Ais an adversary making q queries and running in time t, where 6q,lq<2^(2n)/4. Adversaries B and C, both running in

(t) time, make (l−1)q and 6q queries, respectively, such that

${(A)} \leq {{2\;{{Adv}_{E}^{prp}(B)}} + {2\;{{Adv}_{E}^{sprp}(C)}} + \frac{12q^{2}}{2^{2n}} + \frac{{q\left( {\ell - 1} \right)}^{2}}{2^{n}} + \frac{6\;\ell^{3}q^{3}}{2^{{2n} - 2} - {\ell^{3}q^{3}}} + {\frac{6^{4}q^{3}}{2^{{2n} - 2} - {6^{3}q^{3}}}.}}$It follows that:

⁢( A ) ≤ 4 ⁢ q 2 2 2 ⁢ n + ⁢ ( t ′ , q ) + Adv F ~ sprp ⁡ ( t ′ , 2 ⁢ q ) ≤ 4 ⁢q 2 2 2 ⁢ n + [ q ⁡ ( ℓ - 1 ) 2 2 n + [ H 2 ⁢ n , E ] ⁢ ( t ′ , ( ℓ - 1 ) ⁢ q, ) ] +   [ 4 ⁢ q 2 2 2 ⁢ n + 4 ⁢ q 2 2 2 ⁢ n + [ H 6 ⁢ n , E ] ⁢ ( t ′ , 6 ⁢ q, ) ] ≤ 12 ⁢ q 2 2 2 ⁢ n + q ⁡ ( ℓ - 1 ) 2 2 n + 6 ⁢ ⁢ ℓ 3 ⁢ q 3 2 2 ⁢ n - 2 -ℓ 3 ⁢ q 3 + 6 4 ⁢ q 3 2 2 ⁢ n - 2 - 6 3 ⁢ q 3 + 2 ⁢ ⁢ Adv E prp ⁡ ( t ′ , ( ℓ -1 ) ⁢ q ) + 2 ⁢ ⁢ Adv E sprp ⁡ ( t ′ , 6 ⁢ q ) .

Some of the constants in this bound are significant. However, TCT₂nevertheless provides substantially better security bounds than TCT₁ andprevious constructions.

Theorem 5—Beyond Birthday-Bound Security for Long Messages. {tilde over(E)}: {0,1}^(k)×

×{0,1]^(n)→{0,1}^(n) is a TBC, and TCTR[{tilde over (E)}]_(K) andTCTR[{tilde over (E)}]_(K) ⁻¹ are defined as in section V.D, with

:

′×

→

being an arbitrary infective mapping. A is a nonce-respecting adversarythat runs in time t and asks q queries of total length at most μ=σnbits. Some adversary B makes at most σ queries and runs in time

(t), such that

_([{tilde over (E)}])(A)≤

(B). Using this variation of TCTR in the security proofs for TCT₁ andTCT₂ removes the q(l−1)² term from the bounds, thereby lifting messagelength concerns. If this change is made,

(T, i) is computed up to l times per invocation, rather than just once.This problem may be mitigated by using another TBC (as described inRogaway, “Efficient Instantiations of Tweakable Blockciphers andRefinements to Modes OCB and PMAC” (2004)) in place of LRW2, which makesincrementing the tweak extremely fast without significantly changing thesecurity bound. When the above change are made, TCT₁ and TCT₂ offerefficient tweakable ciphers on an unbounded domain, losing securityguarantees only after

(2^(n/2)) (resp.,

(2^(2n/3))) bits have been enciphered.

Theorem 6 and Lemmas—VILTC with Protected IV with ConventionalEncryption. Suppose

,

,

,

, integer N, TBC {tilde over (F)} and tweakable cipher {tilde over (V)}are as described in Theorem 1. A is an adversary making q<2^(N)/4queries and running in time t. Adversaries B and C, making q and 2qqueries, respectively, run in

(t) time, such that

${(A)} \leq {\frac{5q^{2}}{2^{N}} + {(B)} + {(C)}}$where B is nonce-respecting. A standard proof shows that the TBC in thepseudocode listings in section V.E is SRND$-secure, up to a birthdaybound, if E is secure as a PRP.

Suppose E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher, and {tildeover (V)} and {tilde over (V)}⁻¹ are defined as in the pseudocodelistings in section V.E. Let A be un adversary running in time t, andasking q queries these totaling at most μ=σn bits. Then

(A)≤σ²/2^(n)+Adv_(E) ^(prp)(B), where B asks at most a queries, and runsin time

(t).

Thus, one could compose counter-mode encryption with {tilde over (F)}based on LRW2 to build an efficient, birthday-bound-secure STPRP. Onecan view {tilde over (F)}_(K)′(T∥X[N+1 . . . ], X[1 . . . N)) as aspecial kind of PRF (one with invertibility properties), that takesinput (T, X) and returns a “synthetic IV” for use in counter-mode. Thesecond application of {tilde over (F)}_(K′) then serves to hide thissynthetic IV in way that leaves it recoverable to those in possession ofkey K′.

The security of this counter-mode construction can be increased by“re-keying”′ the underlying block cipher, using a PRF ƒ:{0,1}^(k)×(0,1)^(n)→{0,1}^(k) to generate per-message keys, as shown inthe construction of {tilde over (G)}, {tilde over (G)}⁻¹ in thepseudocode listings of section V.E. {tilde over (G)}_(K)(T, X) can becomputed as (1) K←ƒ_(K)(T), (2) return {tilde over (F)} _(K) (T, X).Recalling that, for any function ƒ:

×

→

′, the pseudo-random function (PRF) advantage of adversary A against ƒis defined to be

${{{Adv}_{f}^{prf}(A)} = {{\Pr\left\lbrack K\overset{\$}{\leftarrow}{{??}\text{:}\mspace{14mu} A^{f_{K}{( \cdot )}}}\Rightarrow 1 \right\rbrack} - {\Pr\left\lbrack {\rho\overset{\$}{\leftarrow}{{{Func}\left( {{??},{??}^{\prime}} \right)}\text{:}\mspace{14mu} A^{\rho{( \cdot )}}}}\Rightarrow 1 \right\rbrack}}},$theorem 6 follows.

Theorem 6. E: {0,1}^(k)×{0,1}^(n)→{0,1}^(n) is a block cipher, and{tilde over (V)} and {tilde over (V)}⁻¹ are as defined in the pseudocodelistings of section V.E. ƒ:{0,1}_(k)×{0,1}^(n)→{0,1}^(k) is a function,and {tilde over (G)} and {tilde over (G)}⁻¹ are as defined in thepseudocode listings of section V.E. A is a nonce-respecting adversarythat runs in time t, and asks q queries, each of length at most mn bits(so, μ≤qmn).

(A)≤q(m²/2^(n)+Adv_(E) ^(prp)(B))+Adv_(ƒ) ^(prf)(C) where: (1) B asks atmost m queries and runs in time

(t), and (2) C asks q queries and runs in time at most

(t).

If the maximum number of blocks in a message m is small, this re-keyingapproach has the potential to give beyond birthday-bound SRND-securityagainst nonce-respecting adversaries. In the case of FDE, for example,Adv_(E) ^(prp)(t′, 32) appears to be very small when n=128, so securityfor q>>2⁶⁴ seems possible. This implementation uses a PRF ƒ that remainssecure for any such q.

In any case, the construction of the VILTC {tilde over (G)} violates acore principle of the tweakable primitive abstraction, namely that tweakchanges should be fast, and much faster than changing the key.

Theorem 7—Privacy for AEAD. Ψ=Ψ[Encode_(H),EncodeMsg, {tilde over (E)}]as defined in the pseudocode listings in section VI.B. s is the maximalstretch of EncodeMsg, s′ is the maximal stretch of Encode_(H), and m isthe length of the shortest M ∈

satisfying Decode_(M)(H,M)≠ Errors for some H ∈

. A is an adversary making q queries totaling μ bits, and running intime t. If Encode_(H) is (d, δ_(H))-colliding and Encode_(M) is (2,δ_(M))-colliding for some δ_(M) that is increasing and convex on {0,1, .. . , q}, there is an adversary B such that:

${{{Adv}_{\Psi}^{priv}(A)} \leq {{(B)} + {\left( {{\delta_{M}\left( {d - 1} \right)} + \frac{\left( {d - 1} \right)\left( {d - 2} \right)}{2^{m + 1}}} \right)\left\lceil \frac{q}{d - 1} \right\rceil} + {\left( {{\delta_{M}(q)} + \frac{q\left( {q + 1} \right)}{2^{m + 1}}} \right){\delta_{H}(q)}}}},$where B makes q queries of total length at most μ+q(s+s′) bits and runsin time

(t).

Theorem 8—Authenticity for AEAD. Ψ[{tilde over(E)}]=Ψ[Encode_(H),EncodeMsg, {tilde over (E)}] as defined in thepseudocode listings of section VI.B. Let s is the stretch of EncodeMsg,s′ is the maximal stretch of Encode_(H), and m is the length of theshortest M ∈

satisfying Decode_(M)(H, M)≠ Errors for some H ∈

. A is an adversary making q_(ϵ) (resp.,

) queries totaling μ_(ϵ) (resp.,

) bits to its encryption (resp., decryption) oracle, and running in timet. If Encode_(M) is ∈-sparse and q_(ϵ)+

<2^(m−1), there is an adversary B such that Adv_(Ψ[{tilde over (E)}])^(int-ctxt)(A)≤

(B)+2

∈, where B makes q_(ϵ) forward-queries of total length (μ_(ϵ)+q_(ϵ)s)bits,

inverse-queries of total length (

+

s′) bits, and runs in

(t) time.

Consider the case that Encode_(H) is (2,0)-colliding. In this case, theprivacy bound. (Theorem 7) simplifies to Adv_(Ψ) ^(priv)(A)≤

(B). This is intuitive, since if the tweak H never repeats, the outputs{tilde over (E)}_(K)(H, M) are uniformly random strings for any validencoding of (H, M) into M; Encode_(H)(H, M)=M suffices. Thus, goodencodings of the header H can substantially reduce the burden placedupon encoding of (H, M) into M.

More generally, assume that the probability of Encode_(H) producing anyH more than d times, for some small constant d<<q, is negligible. Thenthe final teim in the bound can effectively be ignored. The second termis roughly qδ_(M)(d)+q/2^(m+1). Now, notice that δ_(M) is evaluated atd, not q, and so qδ_(M)(d) can be made negligible by encoding areasonable amount of randomness into M (e.g. log(q) bits). For somenatural choices of EncodeMsg then, q/2^(m+1) will be the dominatingterm, where m is the shortest length of M. But to achieve goodauthenticity bounds, m is unlikely to let q/2^(m+1) ruin the bound.

The presence of the tweak allows shifting of “extra” bits for randomnessor state into the encoding of the header, which potentially reduces thenumber of bits that must be cryptographically processed.

Turning now to the authenticity bound (Theorem 8), note that ifEncode_(M) inserts b redundant bits (so ∈≈2^(−b)) and q_(ϵ)+

<<2^(m), the second term of the authenticity bound is approximately

/2^(b). Thus, if the tweakable cipher {tilde over (E)} hasSTPRP-security up to, for example, 2⁸⁰ queries (e.g., an appropriatelyinstantiated PIV with N=256), then encoding the header with a nonce, andthe message with 80 bits of redundancy, yields an AEAD scheme withroughly 80-bit privacy and authenticity guarantees, and one that cantolerate nonce-misuse.

The proof of Theorem 8 can be easily modified to show that the statedbound holds even if the adversary controls the coins and state ofEncode_(M) and Encode_(H). Additionally, only decryption oracle queriesare assumed to be not redundant—adversaries are not assumed to respectany nonces encoded into the headers or messages.

Proof of Theorem 7.

$\Pi\overset{\$}{\leftarrow}{{BC}\left( {{\overset{\_}{\mathcal{H}}},{\overset{\_}{\mathcal{M}}}} \right)}$is a random cipher. Ψ[Π] is the AEAD scheme obtained by replacing {tildeover (E)}_(K) and {tilde over (E)}_(K) ⁻¹ with Π and Π⁻¹, respectively,everywhere in the algorithms of Ψ[Encode_(H),EncodeMsg, {tilde over(E)}]. ϵ_(Π) is the corresponding encryption algorithm. Pr[A^(ϵ) ^(K)^((⋅,⋅))

1]−Pr[A^(ϵ) ^(Π) ^((⋅,⋅))

1]≤

(B), for the standard adversary B that simulates ϵ_(K) or ϵ_(Π),depending on its own oracle. This leaves

${{Adv}_{\Psi}^{priv}(A)} \leq {{(B)} + {\Pr\left\lbrack A^{ɛ_{n}{(\because)}}\Rightarrow 1 \right\rbrack} - {{\Pr\left\lbrack {{K\overset{\$}{\leftarrow}};\left. A^{\$_{K}{(\because)}}\Rightarrow 1 \right.} \right\rbrack}.}}$

A sequence of three games in FIG. 10 helps illustrate the proof. In FIG.10, boxed commands are included in Game 1 but omitted from Game 2,causing the ϵ_(Π) oracle to always return random strings. Game 3 boundsthe probability that this change can be detected by an adversary (asmeasured by the probability that a “bad” value will be set).

s is the stretch of Encode_(M). Game 1 (in FIG. 10) implements ϵ_(Π)using lazy-sampling to define Π. In particular, on the i-th query(H_(i), M_(i)), Game 1 computes the encodings H _(i), M _(i) and thensamples a potential value S_(i) to assign to Π(H _(i), M _(i)). Thisvalue will be valid so long as Π(H _(i), M _(i)) has not already beenset, and as long as S_(i) has not been used with H _(i) before;otherwise, Game 1 sets bad₁ or bad₂, and then reassigns S_(i) anappropriate value.

Since Game 2 (in FIG. 10) is identical to Game 1 until bad₁ or bad₂ isset:Pr[A ^(ϵ) ^(Π) ^((⋅,⋅))

1]=Pr[G1(A)

1]=Pr[G1(A)

1

(bad₁

bad₂)]+Pr[G1(A)

1

(bad₁

bad₂)]≤Pr[G2(A); bad₁

bad₂]+Pr[G2(A)

1

(bad₁

bad₂)],where the final line uses an alternative formulation of the fundamentallemma of game-playing. In Game 2, the value of S_(i) is always uniformlyrandom in {0,1}^(|M) ^(i) ^(|+s), and ϵ_(Π)'s outputs are independent ofeach M_(i). Consequently, assigning values to each M_(i) can bepostponed until after A halts. This in turn allows postponing ofchecking to see if bad₁ or bad₂ should be set without altering theprobability that they will be. Making both these changes yields Game 3(in FIG. 10), so Pr[G2(A); bad₁

bad₂]=Pr[G3(A); bad₁

bad₂]. Thus:

${{\Pr\left\lbrack {G\; 2(A)}\Rightarrow{1\bigwedge{⫬ \left( {{bad}_{1}\bigvee{bad}_{2}} \right)}} \right\rbrack} = {{{\Pr\left\lbrack {G\; 3(A)}\Rightarrow{1\bigwedge{⫬ \left( {{bad}_{1}\bigvee{bad}_{2}} \right)}} \right\rbrack} \leq {\Pr\left\lbrack {G\; 3(A)}\Rightarrow 1 \right\rbrack}} = {\Pr\left\lbrack {{K\overset{\$}{\leftarrow}};\left. A^{\$_{K}{(\because)}}\Rightarrow 1 \right.} \right\rbrack}}},$where the final equality follows from the fact that in Game 3, eachS_(i) is sampled independently and uniformly at random from the set ofappropriately sized strings. To recap, at this point:Adv_(Ψ) ^(priv)(A)≤

(B)+Pr[G3(A); bad₁

bad₂].

To establish an upper bound for Pr[G3(A); bad₁

bad₂], suppose that A has just generated its output after running inGame 3. To bound the probability that bad₁ gets set, N=|{H _(i): i≤q}|is the number of distinct tweak encodings generated during the course ofthe game. R₁, R₂, . . . , R_(N) ⊂ {1,2, . . . , q} are equivalenceclasses characterized by the property that i and j are in the same classif and only if H _(i)=H _(j). The probability that bad₁ will be set isat most Σ_(k) δ_(M)(|R_(k)|). The upper bound is obtained by summing thevalues of the increasing convex function δ_(M) at the points |R₁|, |R₂|,. . . , |R_(N)| where |R₁|+|R₂|+ . . . +|R_(N)|=q. Consequently, thebound is largest (for fixed q) when N=1 and R₁={1,2, . . . , q}. Butsuppose that each |R_(k)|<d, an event denoted as Capped. In this case,Pr[G3(A);

Capped]≤δ_(H)(q). Given that Capped occurs, Σ_(k) δ_(M)(|R_(k)|) islargest when N=[q/(d−1)] and |R_(k)|=d−1 for k=1,2, . . . , N−1. Thisyields:

${\Pr\left\lbrack {{G\; 3(A)};{bad}_{1}} \right\rbrack} \leq {{\Pr\left\lbrack {{G\; 3(A)};{{{bad}_{1}\left. {Capped} \right\rbrack} + {{\Pr\left\lbrack {{G\; 3(A)};{bad}_{1}} \right.}{⫬ {Capped}}}}} \right\rbrack}{\Pr\left\lbrack {{G\; 3(A)};{⫬ {Capped}}} \right\rbrack}} \leq {{{\delta_{M}\left( {d - 1} \right)}\left\lceil \frac{q}{d - 1} \right\rceil} + {{\delta_{M}(q)}{{\delta_{H}(q)}.}}}$

Similarly:

${{\Pr\left\lbrack {{G\; 3(A)};{bad}_{2}} \right\rbrack} \leq {{\Pr\left\lbrack {{G\; 3(A)};{{{bad}_{2}\left. {Capped} \right\rbrack} + {{\Pr\left\lbrack {{G\; 3(A)};{bad}_{2}} \right.}{⫬ {Capped}}}}} \right\rbrack}{\Pr\left\lbrack {{G\; 3(A)};{⫬ {Capped}}} \right\rbrack}} \leq {{\frac{\left( {d - 1} \right)\left( {d - 2} \right)}{2^{m + 1}}\left\lceil \frac{q}{d - 1} \right\rceil} + {\frac{q\left( {q - 1} \right)}{2^{m + 1}}{\delta_{H}(q)}}}},$since the standard i

i(i−1)/2^(m+1) birthday bound (for the probability of a collision amongindependent random variables sampled uniformly from {0,1}^(m)) meets thecriterion of an increasing convex function.

Proof of Theorem 8. Let B be the STPRP adversary that simulates theINT-CTXT experiment for A and outputs 1 if A would set Forges to true.Then Adv_(Ψ) ^(ctxt)(A)≤

(B)+Adv_(Ψ[Π]) ^(int-ctxt)(A) where Ψ[Π] is the scheme obtained byreplacing {tilde over (E)}_(K) and {tilde over (E)}_(K) ⁻¹ with Π andΠ⁻¹, respectively, everywhere in the algorithms of Ψ, and Adv_(Ψ[Π])^(int-ctxt)(A) is defined in the natural way (with probabilities overthe random choice of Π, rather than K).

Game 4 (FIG. 11) simulates the IND-CTXT experiment for Sϵ[Π]. Bydefining Π through lazy sampling, Adv_(Ψ[Π]) ^(int-ctxt)(A)=Pr[G4(A);Forges]. In the code for the

_(Π) oracle, it need not check if Π⁻¹(H, Y) has already been defined;this possibility is excluded by the fact that A does not repeat queriesto

_(Π), and does not send

_(Π) a value previously returned by ϵ_(Π) (while preserving the header).For some query to

_(Π). The probability that A forges on this query is equal to theprobability that the corresponding, randomly chosen value of

is a valid encoding. There are at most 2^(|Y|)∈ valid encodings of thecorrect length, and

is sampled from a set of size at least 2^(|Y|)−(q_(ϵ)+

). Consequently, A forges on this query with probability at most2^(|Y|)∈/(2^(|Y|)−(q_(ϵ)+

))<2^(m)∈/(2^(m)−2^(m−1))=2∈. A union bound completes the proof.

In view of the many possible embodiments to which the principles of thedisclosed invention may be applied, it should be recognized that theillustrated embodiments are only preferred examples of the invention andshould not be taken as limiting the scope of the invention. Rather, thescope of the invention is defined by the following claims. We thereforeclaim as our invention all that comes within the scope and spirit ofthese claims.

We claim:
 1. A computer-implemented method comprising: receiving a header and a plaintext message; processing the plaintext message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated encryption with associated data, wherein the processing the plaintext message includes: determining a modified header using the header and reconstruction information; determining a modified message using the plaintext message and at least part of the modified header; and encrypting the modified message using the VILTC with the modified header as a tweak for the VILTC; and outputting the header and the encrypted message.
 2. The method of claim 1 further comprising: outputting the reconstruction information.
 3. The method of claim 1 wherein the reconstruction information is a nonce, and wherein the determining the modified message includes: adding the nonce as a prefix of the modified message.
 4. The method of claim 1 wherein the processing the plaintext message further includes, as part of the determining the modified message, appending a pre-determined number of zero bits to the plaintext message.
 5. The method of claim 1 wherein the reconstruction information is a value of a counter or random number.
 6. The method of claim 1 wherein the header includes information used for routing during transmission, and wherein the outputting the header and the encrypted message includes transmitting the header and the encrypted message.
 7. The method of claim 1 wherein, for format preserving encryption (“FPE”), the plaintext message is data stored in disk storage or main memory, and wherein the outputting the header and the encrypted message includes storing the header and the encrypted message in disk storage or main memory.
 8. A computer-implemented system comprising one or more processing units, wherein the system is configured to perform operations comprising: receiving a header and an encrypted message; processing the encrypted message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated decryption with associated data, wherein the processing the encrypted message includes: determining a modified header using the header and reconstruction information; decrypting the encrypted message using the VILTC with the modified header as a tweak for the VILTC, thereby producing a modified message; and determining a plaintext message using the modified message and at least part of the modified header; and outputting the plaintext message.
 9. The system of claim 8 wherein the reconstruction information is a nonce, and wherein the processing the encrypted message further includes: verifying that the nonce matches a prefix of the modified message.
 10. The system of claim 8 wherein the header includes information used for routing during transmission.
 11. The system of claim 8 wherein the header and the encrypted message are received from disk storage or main memory, and wherein the outputting the plaintext message includes storing the plaintext message in disk storage or main memory.
 12. The system of claim 8 wherein the operations further comprise: receiving the reconstruction information.
 13. The system of claim 12 wherein the reconstruction information is a value of a counter or random number.
 14. The system of claim 8 wherein the processing the encrypted message further includes authenticating the plaintext message.
 15. The system of claim 14 wherein the authenticating the plaintext message includes checking for presence of a pre-determined number of zero bits appended to the plaintext message.
 16. A computer-implemented system comprising one or more processing units, wherein the system is configured to perform operations comprising: receiving a header and a plaintext message, wherein the plaintext message is data from disk storage or main memory; processing the plaintext message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated encryption with associated data, wherein the processing the plaintext message includes: determining a modified header using the header and reconstruction information; determining a modified message using the plaintext message and at least part of the modified header; and encrypting the modified message using the VILTC with the modified header as a tweak for the VILTC; and outputting the header and the encrypted message, including storing the header and the encrypted message in disk storage or main memory.
 17. The system of claim 16 wherein the operations further comprise outputting the reconstruction information to disk storage or main memory.
 18. A computer-implemented method comprising: receiving a header and an encrypted message, wherein the encrypted message is data from disk storage or main memory; processing the encrypted message using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated decryption with associated data, wherein the processing the encrypted message includes: determining a modified header using the header and reconstruction information; decrypting the encrypted message using the VILTC with the modified header as a tweak for the VILTC, thereby producing a modified message; and determining a plaintext message using the modified message and at least part of the modified header; and outputting the plaintext message, including storing the plaintext message in disk storage or main memory.
 19. The method of claim 18 further comprising: receiving the reconstruction information.
 20. One or more non-transitory computer-readable media storing computer-executable instructions for causing a computer system, when programmed thereby, to perform operations comprising: receiving first data and plaintext second data; processing the plaintext second data using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated encryption with associated data, wherein the processing the plaintext second data includes: determining modified first data using the first data and reconstruction information; determining modified second data using the plaintext second data and at least part of the modified first data; and encrypting the modified second data using the VILTC with the modified first data as a tweak for the VILTC; and outputting the first data and the encrypted second data.
 21. The one or more non-transitory computer-readable media of claim 20 wherein the first data is a header and the plaintext second data is a plaintext message.
 22. The one or more non-transitory computer-readable media of claim 20 wherein the plaintext second data comprises at least part of a credit card number.
 23. The one or more non-transitory computer-readable media of claim 20 wherein the reconstruction information is a nonce, and wherein the determining the modified second data includes: adding the nonce as a prefix of the plaintext second data.
 24. The one or more non-transitory computer-readable media of claim 20 wherein the processing the plaintext second data further includes, as part of the determining the modified second data, appending a pre-determined number of zero bits to the plaintext second data.
 25. One or more non-transitory computer-readable media storing computer-executable instructions for causing a computer system, when programmed thereby, to perform operations comprising: receiving first data and encrypted second data; processing the encrypted second data using a variable-input-length tweakable cipher (“VILTC”) to provide authenticated decryption with associated data, wherein the processing the encrypted second data includes: determining modified first data using the first data and reconstruction information; decrypting the encrypted second data using the VILTC with the modified first data as a tweak for the VILTC, thereby producing modified second data; and determining plaintext second data using the modified second data and at least part of the modified first data; and outputting the plaintext second data.
 26. The one or more non-transitory computer-readable media of claim 25 wherein the first data is a header and the plaintext second data is a plaintext message.
 27. The one or more non-transitory computer-readable media of claim 25 wherein the plaintext second data comprises at least part of a credit card number.
 28. The one or more non-transitory computer-readable media of claim 25 wherein the reconstruction information is a nonce, and wherein the processing the encrypted second data further includes: verifying that the nonce matches a prefix of the modified second data.
 29. The one or more non-transitory computer-readable media of claim 25 wherein the processing the encrypted second data further includes authenticating the plaintext second data. 